From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 12:24:22 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81BCF16A41F for ; Wed, 28 Sep 2005 12:24:22 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEECB43D48 for ; Wed, 28 Sep 2005 12:24:21 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (dybkve@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8SCOJKq047048 for ; Wed, 28 Sep 2005 14:24:20 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8SCOJUv047047; Wed, 28 Sep 2005 14:24:19 +0200 (CEST) (envelope-from olli) Date: Wed, 28 Sep 2005 14:24:19 +0200 (CEST) Message-Id: <200509281224.j8SCOJUv047047@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 12:24:22 -0000 Achim Patzner wrote: > Oliver Fromme wrote: > > No. Performing a reboot is a rather bad idea. > > Actually _loading kernel modules you haven't been using before_ Lots of people have been using it before. (Personally I prefer to compile it statically in the kernel, though.) > without scheduling a reboot (which can be cancelled just as easily as > removing an at job) is (not only in my opinion) a stupid idea. Apropos ideas: Not having remote console access to a machine which is located at 800 km distance is (not only in my opinion) a stupid idea. ;-) > > A much better way would be a small "at" job that inserts > > an appropriate "allow" rule: > > Where's the advantage? A solution that doesn't require a reboot is always better, especially on production machines. This isn't Windows, after all. For changing (and testing) rules, there's an even more elegant (and non-[qddisruptive) solution, see: /usr/share/examples/ipfw/change_rules.sh Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often.