From owner-freebsd-questions@FreeBSD.ORG  Fri May 23 14:13:59 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4E11E37B401
	for <freebsd-questions@freebsd.org>;
	Fri, 23 May 2003 14:13:59 -0700 (PDT)
Received: from mwinf0104.wanadoo.fr (smtp8.wanadoo.fr [193.252.22.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C856943F3F
	for <freebsd-questions@freebsd.org>;
	Fri, 23 May 2003 14:13:57 -0700 (PDT)
	(envelope-from david@landgren.net)
Received: from landgren.net (unknown [193.252.200.87])
	by mwinf0104.wanadoo.fr (SMTP Server) with ESMTP
	id 4C3DD1BFFF96; Fri, 23 May 2003 23:13:56 +0200 (CEST)
Message-ID: <3ECE8F17.8010504@landgren.net>
Date: Fri, 23 May 2003 23:13:59 +0200
From: David Landgren <david@landgren.net>
Organization: Oh smear this man across the walls/Like strawberries and
	cream/It's the only way to be
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
References: <Sea1-F44bF503zJLTz7000278e4@hotmail.com>
	<20030522093058.GA24261@igloo.linux.gr>
In-Reply-To: <20030522093058.GA24261@igloo.linux.gr>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: Carolyn Longfoot <c_longfoot@hotmail.com>
cc: freebsd-questions@freebsd.org
Subject: Re: Update Firewall Rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2003 21:13:59 -0000

Giorgos Keramidas wrote:
> Doing thing on a remote machine that you cannot possibly access if
> something goes wrong (i.e. a collcation server) is probably not a good
> idea though.  In cases like these, I usually follow the following
> procedure when tinkering with firewall rules to avoid locking myself
> out of a machine I can't login to afterwards:
> 
> 	a) Schedule a reboot in 15 minutes or so.
> 
> 	b) Load new firewall rules.
> 
> 	c) Test rules.
> 
> 	d) Unschedule the reboot if all goes well.

That's a little bit savage. I hate rebooting machines if I'm not around 
to nurse them. People leaving bootable CDs in the drive, or floppies, 
bootable or otherwise, or configs that drift so that ssh fails to start 
up, or after the last ISP switch you forgot to set the defaultrouter to 
the new one... I've had all these things happen over the years.

The ipfw man page has an excellent example that shows you have to create 
a set of rules, enable them and if you don't hit ^C in 15 seconds (or 
whatever time you need to test), it backs the set out and you retrieve 
your initial ruleset.

I have used this approach on a couple of occasions, and it's very handy. 
Check the man page.

David