Date: Wed, 3 Jun 98 13:39:32 +0200 From: Adrian Steinmann <ast@marabu.ch> To: hackers@FreeBSD.ORG Subject: submission: additional routines in /etc/rc.firewall to make it failsafe Message-ID: <199806031139.NAA01053@marabu.marabu.ch>
next in thread | raw e-mail | index | archive | help
I have been using this additional code in /etc/rc.firewall with good results: if, by chance, you run sh /etc/rc.firewall on a pty via the network, you will albeit lose your session but the script will finish completely and (unless you made changes which are faulty) you will be able to log back in agains (because it ignores the HUP signal). It also takes down and brings up all interfaces, making any ongoing connections cut cleaner (and usually continue) than when the rules are loaded while the interfaces are up. The real paranoid might also argue this way there is no window where the interfaces are up and the FW rules are incomplete... Could we put this into the distributed /etc/rc.firewall? Adrian _________________________________________________________________________ Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@marabu.ch ... PATH=/sbin:/usr/sbin:/bin:/usr/bin export PATH ... # routine to set interfaces down and up interfaces () { case "x$1" in xup|xdown) ifconfig -a | sed -n -e '/BROADCAST,/ s/:.*//p' | \ while read i; do ifconfig $i $1; done ;; *) echo "USAGE: interfaces [up|down]" >&2 ;; esac } ############ # START trap '' 1 interfaces down ... all the ipfw rules ... ############ # DONE interfaces up To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806031139.NAA01053>