From owner-freebsd-net@FreeBSD.ORG Fri Jun 20 17:27:19 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECEE337B401 for ; Fri, 20 Jun 2003 17:27:18 -0700 (PDT) Received: from c009.snv.cp.net (h019.c009.snv.cp.net [209.228.34.132]) by mx1.FreeBSD.org (Postfix) with SMTP id 46EB543FBF for ; Fri, 20 Jun 2003 17:27:18 -0700 (PDT) (envelope-from jdroflet@canada.com) Received: (cpmta 6643 invoked from network); 20 Jun 2003 17:27:17 -0700 Received: from 209.228.34.114 (HELO mail.canada.com.criticalpath.net) by smtp.canada.com (209.228.34.132) with SMTP; 20 Jun 2003 17:27:17 -0700 X-Sent: 21 Jun 2003 00:27:17 GMT Received: from [65.92.127.154] by mail.canada.com with HTTP; Fri, 20 Jun 2003 17:27:15 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 To: dero@bluhayz.org From: jdroflet@canada.com X-Sent-From: jdroflet@canada.com Date: Fri, 20 Jun 2003 17:27:15 -0700 (PDT) X-Mailer: Web Mail 5.4.0-4_sol28 Message-Id: <20030620172717.1996.h001.c009.wm@mail.canada.com.criticalpath.net> cc: freebsd-net@freebsd.org Subject: X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jun 2003 00:27:19 -0000 I realized this after posting I should have included info restarting rules and Joeseph has hit on it here, I now use /usr/src/share/examples/ipfw/change_rules.sh that is with the standard install for any firewall changes. It saves old rulesets, allows you to view (syntax), then confirm rule changes. If you don't confirm within a set number of seconds it does not install the new rules. I have yet to cut myself off when changing remote rules using this script. For natd changes i have a script with the line: killall -9 natd;sleep 2;/sbin/natd -config /etc/natd.file -n fxp0 & Perhaps someone has a more elegant method ;) Regards, JD > firewall rules through that, be careful, you can cut yourself off if you are not. I always update rules in a copy of the firewall rules I use. Run it > with "rc.firewall.copy >/tmp/rules &". You can check the output by looking > at /tmp/rules. If you don't add "&" and you get cut off, the script will > not complete and may leave you in an unpredictable state. As long as you > are editing a copy of the rules, if something goes wrong, you just get > someone to reboot the computer, it will use the original rule set. To > minimize getting cut off, move your sshd rules of the external interface to > as close to the top as you can.