Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: IPFW: combining "divert natd" with "keep-state"

From: Andrew McNaughton (andrewscoop.co.nz)
Date: Mon Jun 23 2003 - 20:21:07 CDT

On Mon, 23 Jun 2003, Matthew George wrote:

> On Fri, 20 Jun 2003, Michael Collette wrote:
> > BTW, is there a way to give certain IPs permissions to reloading
> > IPFW's rules? There's some stuff I'd like to be able to admin
> > remotely. Darn box won't let me reload rules, but it will let me
> > reboot. I've done this quite a bit in the past to force new rules to
> > load. I was rather hoping there was a more elegant solution to this.

> if you have 'flush' at the top of your ruleset, you can (sometimes) get
> away with an `ipfw -q`. I find screen windows (ports/misc/screen) to be
> most effective, though ... even if the connection dies, the screen will
> detach and continue processing the rules file.

nohup sh /etc/rc.firewall CONFIG &

It leaves the nohup.out file lying around which can be useful or annoying.
nohup is otherwise a tidy approach to processes you don't want to be
dependent on the terminal.

This one with the firewall script output is a longstanding issue though.
I wonder if the script could detect use of a remote tty and behave better.
Maybe it could direct its output to a temp file while changing rules, then
cat the output file and remove it when done changing rules.

Andrew McNaughton


No added Sugar. Not tested on animals. If irritation occurs,
discontinue use.

Andrew McNaughton In Sydney
                            Working on a Product Recommender System
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc

freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"