Date: Wed, 24 Jan 2007 16:06:52 -0500 From: John Nielsen <lists@jnielsen.net> To: freebsd-questions@freebsd.org Subject: Re: Problem with "ipfw flush" Message-ID: <200701241606.53149.lists@jnielsen.net> In-Reply-To: <45B7C8AE.6060805@qwirky.net> References: <20070124152310.E82156@prime.gushi.org> <45B7C39E.5080605@qwirky.net> <45B7C8AE.6060805@qwirky.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 24 January 2007 15:59, Jeff Royle wrote: > Jeff Royle wrote: > > Dan Mahoney, System Admin wrote: > >> In trying to tweak my firewall setup I'm using a file called > >> /etc/ipfw.rules > >> > >> However, it seems even though I copy my rules perfectly to that file, > >> the system freezes up and locks me out when I do: > >> > >> ipfw -f flush; ipfw /etc/ipfw.rules > >> > >> I've also tried doing it as > >> > >> ipfw -f flush && ipfw /etc/ipfw.rules > >> > >> But to no avail. > >> > >> if it matters, ipfw is loaded as a kernel module, not compiled in. > > > > I haven't used IPFW in a while but if I recall right IPFW has a default > > policy of drop. So when you flush the ruleset your pass rules are all > > gone. > > > > You could run the command like: ipfw -f flush && ipfw /etc/ipfw.rules > > > > That should allow you flush and load your ruleset. You may also want > > to look into changing the default policy to accept. However this may > > require you to adjust your rules depending on how you wrote them. > > Opps I am sorry, I got pulled away while reading your original email, > guess I didn't finish reading it. I see you are trying &&. > > You still may want to look into a default policy of accept for IPFW, > this way its a non issue. Three things to remember when modifying ipfw rules remotely: 1) Make sure that you have a way to recover when you lock yourself out. Once you get the hang of it this doesn't happen very often, but it can definitely happen. 2) Put whatever rules you need to access your session at the top of your ruleset. (e.g. allow tcp from any to me 22 and allow tcp from me 22 to any) 3) Make sure to use "nohup" at the beginning of your reload command(s). It's helpful to make a script that flushes and reloads the firewall so all you have to do is "nohup reload.sh". If you use screen or the like you can get the same result. The point is to keep the system from hanging up on you and interrupting your session while you're momentarily not allowed in. Changing the default to accept would alleviate the need for some or all of the above, but I've never thought that to be a good approach in situations where I actually want a firewall. JN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701241606.53149.lists>