From owner-freebsd-questions@FreeBSD.ORG Wed Jan 24 21:10:40 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6AD3416A403 for ; Wed, 24 Jan 2007 21:10:40 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.freebsd.org (Postfix) with ESMTP id 4ECC613C459 for ; Wed, 24 Jan 2007 21:10:40 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from localhost (jn@ns1 [69.55.238.237]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id l0OLAdcG031157 for ; Wed, 24 Jan 2007 13:10:39 -0800 (PST) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-questions@freebsd.org Date: Wed, 24 Jan 2007 16:06:52 -0500 User-Agent: KMail/1.9.5 References: <20070124152310.E82156@prime.gushi.org> <45B7C39E.5080605@qwirky.net> <45B7C8AE.6060805@qwirky.net> In-Reply-To: <45B7C8AE.6060805@qwirky.net> X-Face: #X5#Y*q>F:]zT!DegL3z5Xo'^MN[$8k\[4^3rN~wm=s=Uw(sW}R?3b^*f1Wu*.<=?utf-8?q?of=5F4NrS=0A=09P*M/9CpxDo!D6?=)IY1w<9B1jB; tBQf[RU-R<,I)e"$q7N7 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200701241606.53149.lists@jnielsen.net> X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on ns1.jnielsen.net X-Virus-Status: Clean Subject: Re: Problem with "ipfw flush" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 21:10:40 -0000 On Wednesday 24 January 2007 15:59, Jeff Royle wrote: > Jeff Royle wrote: > > Dan Mahoney, System Admin wrote: > >> In trying to tweak my firewall setup I'm using a file called > >> /etc/ipfw.rules > >> > >> However, it seems even though I copy my rules perfectly to that file, > >> the system freezes up and locks me out when I do: > >> > >> ipfw -f flush; ipfw /etc/ipfw.rules > >> > >> I've also tried doing it as > >> > >> ipfw -f flush && ipfw /etc/ipfw.rules > >> > >> But to no avail. > >> > >> if it matters, ipfw is loaded as a kernel module, not compiled in. > > > > I haven't used IPFW in a while but if I recall right IPFW has a default > > policy of drop. So when you flush the ruleset your pass rules are all > > gone. > > > > You could run the command like: ipfw -f flush && ipfw /etc/ipfw.rules > > > > That should allow you flush and load your ruleset. You may also want > > to look into changing the default policy to accept. However this may > > require you to adjust your rules depending on how you wrote them. > > Opps I am sorry, I got pulled away while reading your original email, > guess I didn't finish reading it. I see you are trying &&. > > You still may want to look into a default policy of accept for IPFW, > this way its a non issue. Three things to remember when modifying ipfw rules remotely: 1) Make sure that you have a way to recover when you lock yourself out. Once you get the hang of it this doesn't happen very often, but it can definitely happen. 2) Put whatever rules you need to access your session at the top of your ruleset. (e.g. allow tcp from any to me 22 and allow tcp from me 22 to any) 3) Make sure to use "nohup" at the beginning of your reload command(s). It's helpful to make a script that flushes and reloads the firewall so all you have to do is "nohup reload.sh". If you use screen or the like you can get the same result. The point is to keep the system from hanging up on you and interrupting your session while you're momentarily not allowed in. Changing the default to accept would alleviate the need for some or all of the above, but I've never thought that to be a good approach in situations where I actually want a firewall. JN