OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: IPFW: combining "divert natd" with "keep-state"

From: Andrew McNaughton (andrewscoop.co.nz)
Date: Mon Jun 23 2003 - 20:21:07 CDT


On Mon, 23 Jun 2003, Matthew George wrote:

> On Fri, 20 Jun 2003, Michael Collette wrote:
>
> > BTW, is there a way to give certain IPs permissions to reloading
> > IPFW's rules? There's some stuff I'd like to be able to admin
> > remotely. Darn box won't let me reload rules, but it will let me
> > reboot. I've done this quite a bit in the past to force new rules to
> > load. I was rather hoping there was a more elegant solution to this.

> if you have 'flush' at the top of your ruleset, you can (sometimes) get
> away with an `ipfw -q`. I find screen windows (ports/misc/screen) to be
> most effective, though ... even if the connection dies, the screen will
> detach and continue processing the rules file.

nohup sh /etc/rc.firewall CONFIG &

It leaves the nohup.out file lying around which can be useful or annoying.
nohup is otherwise a tidy approach to processes you don't want to be
dependent on the terminal.

This one with the firewall script output is a longstanding issue though.
I wonder if the script could detect use of a remote tty and behave better.
Maybe it could direct its output to a temp file while changing rules, then
cat the output file and remove it when done changing rules.

Andrew McNaughton

--

No added Sugar. Not tested on animals. If irritation occurs,
discontinue use.

-------------------------------------------------------------------
Andrew McNaughton In Sydney
                            Working on a Product Recommender System
andrewscoop.co.nz
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"