From owner-freebsd-bugs  Tue Jun  5  0:30: 5 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C419D37B401
	for <freebsd-bugs@hub.freebsd.org>; Tue,  5 Jun 2001 00:30:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.3/8.11.3) id f557U2119260;
	Tue, 5 Jun 2001 00:30:02 -0700 (PDT)
	(envelope-from gnats)
Date: Tue, 5 Jun 2001 00:30:02 -0700 (PDT)
Message-Id: <200106050730.f557U2119260@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Bill Fumerola <billf@mu.org>
Subject: Re: bin/27887: ipfw 'backup' option proposal
Reply-To: Bill Fumerola <billf@mu.org>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR bin/27887; it has been noted by GNATS.

From: Bill Fumerola <billf@mu.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/27887: ipfw 'backup' option proposal
Date: Tue, 5 Jun 2001 02:26:19 -0500

 On Tue, Jun 05, 2001 at 10:45:23AM +0400, avn@any.ru wrote:
 
 > >Description:
 > 	Usage of ipfw on remote systems is often dangerous, and handbook
 > 	explicitly warns about this. IMO it can be useful to have a 'backup'
 > 	option to ipfw, which would restore previous ruleset in case that
 > 	user locked himself out. It saves the ruleset, performs requested
 > 	changes to ipfw and asks a user if he is still on-line. In case of
 > 	disconnection, timeout of 15 seconds, or signal delivery, it restores
 > 	previous ruleset. As for now, AFAIK, there is no interface to introduce
 > 	dynamic rules directly, so it restores only static ruleset, and does
 > 	not restore pipes too. But, it should be enough in most cases to
 > 	allow user get back again.
 
 
 potential committers: don't commit this. I have a much more generic (atomic
 changing of rulesets, recursive inclusing of rulesets) implementation that I
 might finish one of these days...
 
 in any case, doing this in ipfw(8) doesn't even seem like the right place
 to pull this off..
 
 -- 
 Bill Fumerola - security yahoo         / Yahoo! inc.
               - fumerola@yahoo-inc.com / billf@FreeBSD.org
 
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message