Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 May 2007 17:21:19 +1000
From:      Norberto Meijome <freebsd@meijome.net>
To:        "Brett Davidson" <brett@net24.co.nz>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IP Firewall disconnecting me after firewall changes
Message-ID:  <20070518172119.57bd2dc8@localhost>
In-Reply-To: <60224D09909C0B43A50935A0893D8FF33A444C@srv.exchange.net24.net.nz>
References:  <60224D09909C0B43A50935A0893D8FF33A444C@srv.exchange.net24.net.nz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 16 May 2007 16:58:39 +1200
"Brett Davidson" <brett@net24.co.nz> wrote:

> I keep firewall rules in a file that I then run via a "sh" command. You
> know, like /etc/rc.firewall. :-)
>  
> Essentially the file does 
> ipfw -q -f flush
> $cmd 0015 check-state
> $cmd set 31 <rule#> <allow tcp from <address/subnet> to me 22 in via
> $pif setup keep-state
>  
> where $cmd = "ipfw -q add"  and $pif = "em0".
>  
> I understand that this set 31 rule should remain even after the flush
> action on the first line.
>  
> This does not appear to be the case. If I run this script from an ssh
> session I get disconnected which is not what I expected. 
>  
> What am I doing wrong?

Nothing wrong really, i've always found it worked like this (it's actually
mentioned in man ipfw , @ the end, in the section about using ipfw as a kld).

If you dont want to lose your session, use a tool like screen to keep your
term alive even when getting booted.

To avoid bad rules  that lock you out altogether, implement a crontab that will
reset the rules to a known good configuration after a short period of time
(say, if u can't get in for 10 minutes, reset the rules. If you can get it,
update the crontab so it doesnt get run). 

Beto

_________________________
{Beto|Norberto|Numard} Meijome

"They redundantly repeated themselves over and over again incessantly without
end ad infinitum" ibid.

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518172119.57bd2dc8>