From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 11:04:08 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C7B616A41F for ; Wed, 28 Sep 2005 11:04:08 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B9A743D48 for ; Wed, 28 Sep 2005 11:04:07 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (zyrozo@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8SB457J044218 for ; Wed, 28 Sep 2005 13:04:06 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8SB45Bi044217; Wed, 28 Sep 2005 13:04:05 +0200 (CEST) (envelope-from olli) Date: Wed, 28 Sep 2005 13:04:05 +0200 (CEST) Message-Id: <200509281104.j8SB45Bi044217@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <7247A1D7-DCB4-493D-B28A-8E98A21C3983@bnc.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 11:04:08 -0000 Achim Patzner wrote: > > > Try loading the IPFW KLD ("kldload ipfw"). > > And remember - doing a "shutdown -r +10" before trying might be a > good idea - last time I did this I found out the hard way that the > kernel module was built with a default action of "deny all from any > to any". No. Performing a reboot is a rather bad idea. A much better way would be a small "at" job that inserts an appropriate "allow" rule: # echo "/sbin/ipfw add 1 allow ip from any to any" | at + 5 minutes # kldload ipfw The same procedure is also useful when activating untested changes to the IPFW rule sets. If everyting went well and you didn't get disconnected, use atrm(1) to remove the "at" job. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them.