Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jan 2007 16:06:52 -0500
From:      John Nielsen <lists@jnielsen.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Problem with "ipfw flush"
Message-ID:  <200701241606.53149.lists@jnielsen.net>
In-Reply-To: <45B7C8AE.6060805@qwirky.net>
References:  <20070124152310.E82156@prime.gushi.org> <45B7C39E.5080605@qwirky.net> <45B7C8AE.6060805@qwirky.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 24 January 2007 15:59, Jeff Royle wrote:
> Jeff Royle wrote:
> > Dan Mahoney, System Admin wrote:
> >> In trying to tweak my firewall setup I'm using a file called
> >> /etc/ipfw.rules
> >>
> >> However, it seems even though I copy my rules perfectly to that file,
> >> the system freezes up and locks me out when I do:
> >>
> >> ipfw -f flush; ipfw /etc/ipfw.rules
> >>
> >> I've also tried doing it as
> >>
> >> ipfw -f flush && ipfw /etc/ipfw.rules
> >>
> >> But to no avail.
> >>
> >> if it matters, ipfw is loaded as a kernel module, not compiled in.
> >
> > I haven't used IPFW in a while but if I recall right IPFW has a default
> > policy of drop.   So when you flush the ruleset your pass rules are all
> > gone.
> >
> > You could run the command like: ipfw -f flush && ipfw /etc/ipfw.rules
> >
> > That should allow you flush and load your ruleset.   You may also want
> > to look into changing the default policy to accept.   However this may
> > require you to adjust your rules depending on how you wrote them.
>
> Opps I am sorry, I got pulled away while reading your original email,
> guess I didn't finish reading it.  I see you are trying &&.
>
> You still may want to look into a default policy of accept for IPFW,
> this way its a non issue.

Three things to remember when modifying ipfw rules remotely:

1) Make sure that you have a way to recover when you lock yourself out. Once 
you get the hang of it this doesn't happen very often, but it can definitely 
happen.

2) Put whatever rules you need to access your session at the top of your 
ruleset. (e.g. allow tcp from any to me 22 and allow tcp from me 22 to any)

3) Make sure to use "nohup" at the beginning of your reload command(s). It's 
helpful to make a script that flushes and reloads the firewall so all you 
have to do is "nohup reload.sh". If you use screen or the like you can get 
the same result. The point is to keep the system from hanging up on you and 
interrupting your session while you're momentarily not allowed in.

Changing the default to accept would alleviate the need for some or all of the 
above, but I've never thought that to be a good approach in situations where 
I actually want a firewall.

JN



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701241606.53149.lists>