Date: Wed, 3 Jun 98 13:39:32 +0200 From: Adrian Steinmann <ast@marabu.ch> To: hackers@FreeBSD.ORG Subject: submission: additional routines in /etc/rc.firewall to make it failsafe Message-ID: <199806031139.NAA01053@marabu.marabu.ch>
next in thread | raw e-mail | index | archive | help
I have been using this additional code in /etc/rc.firewall with
good results: if, by chance, you run sh /etc/rc.firewall on a pty
via the network, you will albeit lose your session but the script
will finish completely and (unless you made changes which are faulty)
you will be able to log back in agains (because it ignores the HUP
signal). It also takes down and brings up all interfaces, making
any ongoing connections cut cleaner (and usually continue) than
when the rules are loaded while the interfaces are up. The real
paranoid might also argue this way there is no window where the
interfaces are up and the FW rules are incomplete...
Could we put this into the distributed /etc/rc.firewall?
Adrian
_________________________________________________________________________
Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich
Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@marabu.ch
...
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
...
# routine to set interfaces down and up
interfaces ()
{
case "x$1" in
xup|xdown)
ifconfig -a | sed -n -e '/BROADCAST,/ s/:.*//p' | \
while read i; do ifconfig $i $1; done
;;
*)
echo "USAGE: interfaces [up|down]" >&2
;;
esac
}
############
# START
trap '' 1
interfaces down
... all the ipfw rules ...
############
# DONE
interfaces up
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806031139.NAA01053>