Date: Tue, 1 May 2001 16:16:03 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: questions@FreeBSD.ORG Cc: steve@havk.org Subject: Re: reloading firewall rules remotely Message-ID: <Pine.BSF.4.21.0105011557420.2093-100000@harlie.bfd.com> In-Reply-To: <bulk.29805.20010501153815@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Tue, 1 May 2001 11:36:30 -0500 > From: Steve Price <steve@havk.org> > Subject: reloading firewall rules remotely > > Ok now I feel more stupid that I usually do. What is the proper > method to reloading ipfw rules from a remote box? I thought > running it in the background worked but evidently not. :( > > - -steve Having aimed carefully at my foot on an occasion or two, and not having seen the problem described in the responses, I'll try to help. I could be way off on this, as I'm talking about areas that I'm not intimately familiar about. The problem with running /etc/rc.firewall remotely is that the first thing it does is flush all the rules. If you haven't specified the quiet ipfw mode in /etc/rc.conf, it will then try to tell you what it did. Well, as soon as it tries to write the message, it gets a socket error, probably permission denied, which I think kills the pty, taking the process executing /etc/rc.firewall with it. So, to prevent this from happening, you need to make sure that at no time between the start of running /etc/rc.firewall and the completion thereof does the pty try to send anything to you. I'm surprized that nohup didn't work, though the shell will still die as soon as it tries to put up a prompt. Did you confirm that the firewall rules didn't get loaded? My solution is this: sh /etc/rc.firewall >/dev/null 2>/dev/null though if you use csh as root's shell the second redirect isn't needed. I prefer this to nohup because when I get a prompt back, I know that the rules are loaded and I can procede. If I don't get a prompt back in a reasonable amount of time, then I investigate (walk to the room the machine is in, or if really remote, call whoever does our hands-on stuff at that site). Setting the quiet flag in /etc/rc.conf will also do this: firewall_quiet="NO" However, this isn't as much fun because then you can't watch for errors while rebooting to make sure all your rules loaded properly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105011557420.2093-100000>