From owner-freebsd-questions@FreeBSD.ORG Fri May 18 07:21:25 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CE98516A40A for ; Fri, 18 May 2007 07:21:25 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 828C513C46C for ; Fri, 18 May 2007 07:21:25 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 23745 invoked from network); 18 May 2007 02:21:25 -0500 Received: from 203-217-83-146.dyn.iinet.net.au (HELO localhost) (203.217.83.146) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 May 2007 02:21:24 -0500 Date: Fri, 18 May 2007 17:21:19 +1000 From: Norberto Meijome To: "Brett Davidson" Message-ID: <20070518172119.57bd2dc8@localhost> In-Reply-To: <60224D09909C0B43A50935A0893D8FF33A444C@srv.exchange.net24.net.nz> References: <60224D09909C0B43A50935A0893D8FF33A444C@srv.exchange.net24.net.nz> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: IP Firewall disconnecting me after firewall changes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 07:21:25 -0000 On Wed, 16 May 2007 16:58:39 +1200 "Brett Davidson" wrote: > I keep firewall rules in a file that I then run via a "sh" command. You > know, like /etc/rc.firewall. :-) > > Essentially the file does > ipfw -q -f flush > $cmd 0015 check-state > $cmd set 31 to me 22 in via > $pif setup keep-state > > where $cmd = "ipfw -q add" and $pif = "em0". > > I understand that this set 31 rule should remain even after the flush > action on the first line. > > This does not appear to be the case. If I run this script from an ssh > session I get disconnected which is not what I expected. > > What am I doing wrong? Nothing wrong really, i've always found it worked like this (it's actually mentioned in man ipfw , @ the end, in the section about using ipfw as a kld). If you dont want to lose your session, use a tool like screen to keep your term alive even when getting booted. To avoid bad rules that lock you out altogether, implement a crontab that will reset the rules to a known good configuration after a short period of time (say, if u can't get in for 10 minutes, reset the rules. If you can get it, update the crontab so it doesnt get run). Beto _________________________ {Beto|Norberto|Numard} Meijome "They redundantly repeated themselves over and over again incessantly without end ad infinitum" ibid. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.