From owner-freebsd-hackers  Wed Jun  3 04:48:30 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA26883
          for freebsd-hackers-outgoing; Wed, 3 Jun 1998 04:48:30 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from coyote.instrumatic.ch (coyote.instrumatic.ch [195.226.4.148])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA26865
          for <hackers@freebsd.org>; Wed, 3 Jun 1998 04:48:16 -0700 (PDT)
          (envelope-from ast@marabu.ch)
Received: (from root@localhost)
	by coyote.instrumatic.ch (8.8.7/8.8.7/ast-971024) with UUCP id NAA14569
	for hackers@freebsd.org; Wed, 3 Jun 1998 13:48:07 +0200 (MET DST)
Received: (from uucp@localhost)
	by hawk.marabu.ch (8.8.8/8.8.8) with UUCP id NAA26792
	for hackers@freebsd.org; Wed, 3 Jun 1998 13:42:04 +0200 (MEST)
	(envelope-from ast@marabu.ch)
Received: by marabu.marabu.ch (8.7.5/970531-ast-7.9) id NAA01053; Wed, 3 Jun 1998 13:39:33 +0200 (CEST)
Message-Id: <199806031139.NAA01053@marabu.marabu.ch>
Content-Type: text/plain
MIME-Version: 1.0 (NeXT Mail 3.3 v118.2)
X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b6)
Received: by NeXT.Mailer (1.118.2)
From: Adrian Steinmann <ast@marabu.ch>
Date: Wed,  3 Jun 98 13:39:32 +0200
To: hackers@FreeBSD.ORG
Subject: submission: additional routines in /etc/rc.firewall to make it
	failsafe
X-Organization: Steinmann Consulting, Apollostrasse 21, 8032 Zurich
X-Phone-Numbers: Switzerland, Tel +41 1 380 30 83 Fax +41 1 380 30 85
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I have been using this additional code in /etc/rc.firewall with
good results: if, by chance, you run sh /etc/rc.firewall on a pty
via the network, you will albeit lose your session but the script
will finish completely and (unless you made changes which are faulty)
you will be able to log back in agains (because it ignores the HUP
signal).  It also takes down and brings up all interfaces, making
any ongoing connections cut cleaner (and usually continue) than
when the rules are loaded while the interfaces are up. The real
paranoid might also argue this way there is no window where the
interfaces are up and the FW rules are incomplete...

Could we put this into the distributed /etc/rc.firewall?

Adrian
_________________________________________________________________________
Dr. Adrian Steinmann  Steinmann Consulting  Apollostrasse 21  8032 Zurich
   Tel +41 1 380 30 83     Fax +41 1 380 30 85    Mailto:ast@marabu.ch

...
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
...

# routine to set interfaces down and up
interfaces ()
{
    case "x$1" in
	xup|xdown)
	    ifconfig -a | sed -n -e '/BROADCAST,/ s/:.*//p' | \
		while read i; do ifconfig $i $1; done
	    ;;
	*)
	    echo "USAGE: interfaces [up|down]" >&2
	    ;;
    esac
}

############
# START
trap '' 1
interfaces down

... all the ipfw rules ...

############
# DONE
interfaces up

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message