Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Jun 2003 13:21:07 +1200 (NZST)
From:      Andrew McNaughton <andrew@scoop.co.nz>
To:        Matthew George <mdg@secureworks.net>
Cc:        Michael Collette <metrol@metrol.net>
Subject:   Re: IPFW: combining "divert natd" with "keep-state"
Message-ID:  <20030624131059.D45252@a2.scoop.co.nz>
In-Reply-To: <20030623184332.U13040@localhost>
References:  <200306201219.14573.metrol@metrol.net> <20030623184332.U13040@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 23 Jun 2003, Matthew George wrote:

> On Fri, 20 Jun 2003, Michael Collette wrote:
>
> > BTW, is there a way to give certain IPs permissions to reloading
> > IPFW's rules? There's some stuff I'd like to be able to admin
> > remotely.  Darn box won't let me reload rules, but it will let me
> > reboot.  I've done this quite a bit in the past to force new rules to
> > load.  I was rather hoping there was a more elegant solution to this.

> if you have 'flush' at the top of your ruleset, you can (sometimes) get
> away with an `ipfw -q`.  I find screen windows (ports/misc/screen) to be
> most effective, though ... even if the connection dies, the screen will
> detach and continue processing the rules file.

nohup sh /etc/rc.firewall CONFIG &

It leaves the nohup.out file lying around which can be useful or annoying.
nohup is otherwise a tidy approach to processes you don't want to be
dependent on the terminal.

This one with the firewall script output is a longstanding issue though.
I wonder if the script could detect use of a remote tty and behave better.
Maybe it could direct its output to a temp file while changing rules, then
cat the output file and remove it when done changing rules.

Andrew McNaughton


--

No added Sugar.  Not tested on animals.  If irritation occurs,
discontinue use.

-------------------------------------------------------------------
Andrew McNaughton           In Sydney
                            Working on a Product Recommender System
andrew@scoop.co.nz
Mobile: +61 422 753 792     http://staff.scoop.co.nz/andrew/cv.doc

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030624131059.D45252>