From owner-freebsd-security Mon Oct 9 19:16: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 14E8737B503 for ; Mon, 9 Oct 2000 19:15:52 -0700 (PDT) Received: (qmail 13656 invoked by uid 0); 10 Oct 2000 02:15:50 -0000 Received: from p3ee21607.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.7) by mail.gmx.net with SMTP; 10 Oct 2000 02:15:50 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA18292 for freebsd-security@FreeBSD.ORG; Mon, 9 Oct 2000 21:42:25 +0200 Date: Mon, 9 Oct 2000 21:42:25 +0200 From: Gerhard Sittig To: "freebsd-security@FreeBSD.ORG" Subject: Re: Default Deny Message-ID: <20001009214225.W31338@speedy.gsinet> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet> <39DE8D1B.923D86DF@allmaui.com> <20001007171153.P31338@speedy.gsinet> <200010091718.e99HI2f07206@ogyo.pointer-software.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200010091718.e99HI2f07206@ogyo.pointer-software.com>; from horio@acm.org on Tue, Oct 10, 2000 at 02:17:08AM +0900 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 02:17 +0900, horio shoichi wrote: > Gerhard Sittig wrote: > > > > > I use this to reload my settings after changes > > > > > > #!/bin/sh > > > ipf -D > > > ipf -Fa -f /etc/ipf.conf -E > > > ipnat -CF -f /etc/ipnat.conf > > > > I would prefer something like > > > > ipf -I -Fa -f /etc/ipf.conf -v > > ( ipf -s; sleep 60; ipf -s; ) & > > # heavy testing until the prompt returns > > ipf -s # only when you're happy with what the test showed > > > > Here is my preference. > > ipf -IFa -If ./ipf.rules >errors 2>&1 > cat errors > test ! -s errors && { rm errors ; ipf -s ; } This will only catch syntax errors and doesn't save you from wrongly implemented rules or faults in your mind due to lack of coffee or sleep. That's why I implement a testing window with the above sequence and an automatic fallback to a known to work state, from where you can decide to activate the previously tested set or to keep on editing it. And it wasn't my own idea to do it that way but I learned it from some ipf doc. But once you created a rule set to lock yourself out, you're very glad the situation will cure itself within a few seconds! Especially when you're not sitting in front of the machine. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message