From owner-freebsd-stable  Fri Nov 14 08:57:30 1997
Return-Path: <owner-freebsd-stable>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA12827
          for stable-outgoing; Fri, 14 Nov 1997 08:57:30 -0800 (PST)
          (envelope-from owner-freebsd-stable)
Received: from gate.imall.com (mail@gate.imall.com [207.173.184.8])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA12799
          for <FreeBSD-Stable@FreeBSD.ORG>; Fri, 14 Nov 1997 08:57:13 -0800 (PST)
          (envelope-from jlp@imall.com)
Received: (from mail@localhost)
	by gate.imall.com (8.8.5/8.8.5) id JAA24684;
	Fri, 14 Nov 1997 09:57:04 -0700 (MST)
Received: from mail.imall.com(10.0.5.2) by gate.imall.com via smap (V2.0)
	id xma024674; Fri, 14 Nov 97 09:56:41 -0700
Received: from banana.imall.com (banana.imall.com [10.0.5.37])
	by mail.imall.com (8.8.5/8.8.5) with ESMTP id JAA28871;
	Fri, 14 Nov 1997 09:56:41 -0700 (MST)
Received: from banana.imall.com (localhost [127.0.0.1])
	by banana.imall.com (8.8.8/8.8.5) with ESMTP id JAA29684;
	Fri, 14 Nov 1997 09:56:37 -0700 (MST)
Message-Id: <199711141656.JAA29684@banana.imall.com>
To: "Studded" <Studded@dal.net>
cc: "FreeBSD Stable List" <FreeBSD-Stable@FreeBSD.ORG>
Subject: Re: Serious problem with ipfw in 11/10 Snap 
X-face: p=61=y<.Il$z+k*y~"j>%c[8R~8{j3WTnaSd-'RyC>t.Ub>AAm\zYA#5JF
 +W=G?EI+|EI);]=fs_MOfKN0n9`OlmB[1^0;L^64K5][nOb&gv/n}p@mm06|J|WNa
 asp7mMEw0w)e_6T~7v-\]yHKvI^1}[2k)]
References: <199711140725.XAA05912@mail.san.rr.com>
In-reply-to: Your message of "Thu, 13 Nov 1997 23:25:46 PST."
             <199711140725.XAA05912@mail.san.rr.com> 
Date: Fri, 14 Nov 1997 09:56:36 -0700
From: "Jan L. Peterson" <jlp@imall.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

This is unrelated to your ipfw, but I have a comment about this
statement of yours:

> are especially bad for us because our 2 servers are in a colo that
> goes without people for several days.  Therefore, problems that
> isolate the machines from the net can cost us days in uptime.

What you should do is configure your co-located machines for a serial
console and hook them together (or to a modem) so that you can get on
the console remotely.  This way, you will be able to access them even
if your firewall rules are screwed up.  You will also be able to do
something if they drop into single user mode at boot time due to a bad
fsck or something.

We have four freebsd servers, a freebsd based firewall, and a cisco
router at a coloc about 45 miles from our main office.  All of the
machines have their serial ports connected to a xylogics microannex
(a terminal server), which also has a modem on it.  This way, even
if the router flakes out, we can still get console access to all
of our servers without having to drive there.

The only thing we can't do remotely at the moment is powercycle the
machines.  We're looking into X10 for that. :-)

	-jan-
-- 
Jan L. Peterson         iMALL, Inc.                tel. +1 801 377 0899
Senior Systems Admin    1185 S Mike Jense Cir      fax  +1 801 373 1947
jlp@imall.com           Provo, UT 84601 (USA)      http://www.imall.com/~jlp/