From owner-freebsd-security@FreeBSD.ORG Mon Jun 23 18:21:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAB0B37B401 for ; Mon, 23 Jun 2003 18:21:13 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 781BE43FA3 for ; Mon, 23 Jun 2003 18:21:12 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.9/8.12.2) with ESMTP id h5O1L7bu021075; Tue, 24 Jun 2003 13:21:10 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 24 Jun 2003 13:21:07 +1200 (NZST) From: Andrew McNaughton To: Matthew George In-Reply-To: <20030623184332.U13040@localhost> Message-ID: <20030624131059.D45252@a2.scoop.co.nz> References: <200306201219.14573.metrol@metrol.net> <20030623184332.U13040@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security cc: Michael Collette Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2003 01:21:14 -0000 On Mon, 23 Jun 2003, Matthew George wrote: > On Fri, 20 Jun 2003, Michael Collette wrote: > > > BTW, is there a way to give certain IPs permissions to reloading > > IPFW's rules? There's some stuff I'd like to be able to admin > > remotely. Darn box won't let me reload rules, but it will let me > > reboot. I've done this quite a bit in the past to force new rules to > > load. I was rather hoping there was a more elegant solution to this. > if you have 'flush' at the top of your ruleset, you can (sometimes) get > away with an `ipfw -q`. I find screen windows (ports/misc/screen) to be > most effective, though ... even if the connection dies, the screen will > detach and continue processing the rules file. nohup sh /etc/rc.firewall CONFIG & It leaves the nohup.out file lying around which can be useful or annoying. nohup is otherwise a tidy approach to processes you don't want to be dependent on the terminal. This one with the firewall script output is a longstanding issue though. I wonder if the script could detect use of a remote tty and behave better. Maybe it could direct its output to a temp file while changing rules, then cat the output file and remove it when done changing rules. Andrew McNaughton -- No added Sugar. Not tested on animals. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton In Sydney Working on a Product Recommender System andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc