From owner-freebsd-bugs Sat Jun 13 11:00:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16336 for freebsd-bugs-outgoing; Sat, 13 Jun 1998 11:00:36 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16318 for ; Sat, 13 Jun 1998 11:00:34 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id LAA29515; Sat, 13 Jun 1998 11:00:01 -0700 (PDT) Received: from coyote.instrumatic.ch (coyote.instrumatic.ch [195.226.4.148]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15703 for ; Sat, 13 Jun 1998 10:56:10 -0700 (PDT) (envelope-from ast@icon.iconomic.com) Received: (from root@localhost) by coyote.instrumatic.ch (8.8.7/8.8.7/ast-971024) with UUCP id TAA24061 for FreeBSD-gnats-submit@freebsd.org; Sat, 13 Jun 1998 19:56:04 +0200 (MET DST) Received: (from ast@localhost) by icon.iconomic.com (8.8.8/8.8.8) id TAA13514; Sat, 13 Jun 1998 19:51:39 +0200 (MEST) (envelope-from ast) Message-Id: <199806131751.TAA13514@icon.iconomic.com> Date: Sat, 13 Jun 1998 19:51:39 +0200 (MEST) From: Adrian Steinmann Reply-To: ast@iconomic.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/6937: submission: routines in /etc/rc.firewall to make it failsafe Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6937 >Category: bin >Synopsis: rc.firewall can't be run from network - fix >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jun 13 11:00:01 PDT 1998 >Last-Modified: >Originator: Adrian Steinmann >Organization: Steinmann Consulting >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: System running IPFW and /etc/rc.firewall >Description: The file /etc/rc.firewall reloads the ipfw rules but may not complete if it is started on a network connection. >How-To-Repeat: Run sh /etc/rc.firewall on a network connection, if /etc/rc.firewall is sufficientlyu complex, you will lose your connection and may not be able to contact the machine again until /etc/rc.firewall is run completely. >Fix: I have been using this additional code in /etc/rc.firewall with good results: if, by chance, you run sh /etc/rc.firewall on a pty via the network, you will albeit lose your session but the script will finish completely and (unless you made changes which are faulty) you will be able to log back in agains (because it ignores the HUP signal). It also takes down and brings up all interfaces, making any ongoing connections cut cleaner (and usually continue) than when the rules are loaded while the interfaces are up. The real paranoid might also argue this way there is no window where the interfaces are up and the FW rules are incomplete... Could we put this into the distributed /etc/rc.firewall? ... PATH=/sbin:/usr/sbin:/bin:/usr/bin export PATH ... # routine to set interfaces down and up interfaces () { case "x$1" in xup|xdown) ifconfig -a | sed -n -e '/BROADCAST,/ s/:.*//p' | \ while read i; do ifconfig $i $1; done ;; *) echo "USAGE: interfaces [up|down]" >&2 ;; esac } ############ # START trap '' 1 interfaces down ... all the ipfw rules ... ############ # DONE interfaces up Adrian _________________________________________________________________________ Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@marabu.ch >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message