From owner-freebsd-stable@FreeBSD.ORG Wed Apr 20 14:49:03 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D1BF16A4CE for ; Wed, 20 Apr 2005 14:49:03 +0000 (GMT) Received: from flyingjoke.org (soggy88.drizzle.com [216.162.199.88]) by mx1.FreeBSD.org (Postfix) with SMTP id A791343D53 for ; Wed, 20 Apr 2005 14:49:02 +0000 (GMT) (envelope-from dtalk-ml@prairienet.org) Received: (qmail 49945 invoked from network); 20 Apr 2005 14:49:14 -0000 Received: from atlantis.flyingjoke.org (192.168.1.8) by atlantis.flyingjoke.org with SMTP; 20 Apr 2005 14:49:14 -0000 Date: Wed, 20 Apr 2005 07:49:06 -0700 (PDT) From: dtalk-ml@prairienet.org X-X-Sender: dtalk@atlantis.flyingjoke.org To: Aristedes Maniatis In-Reply-To: <52607941c4729226852cde5d42f7085e@ish.com.au> Message-ID: <20050420074451.A16632@atlantis.flyingjoke.org> References: <426447F8.5090209@charter.net> <200504191317.j3JDH76H001458@drjekyll.mkbuelow.net> <42655B8E.5020603@mac.com> <20050419200510.GA38661@uws1.starlofashions.com> <52607941c4729226852cde5d42f7085e@ish.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: Scott Robbins cc: freebsd-stable@freebsd.org Subject: Re: Remote firewall changes, Was: Newbie Question About System Update X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dtalk-ml@prairienet.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2005 14:49:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aristedes Maniatis wrote: >> Ok, everyone who has NEVER ever made that mistake (or locked themself >> out with a firewall rule, accidentally putting it into effect before >> testing) raise their hand. :) > > Yes, that would be me. But someone taught me a great trick...the "at" command. > So, just before you blow away your access with changes to ipfw, do this: > > echo "ipfw add 1 pass all from any to any" at now +10 minutes > > Then if all goes OK, use atq to remove the queue item. If not, wait 10 > minutes... Why not just include an allow rule for a handful of management addresses in set 31? That's been pretty close to idiot-proof for me, and has definitely saved my bacon. - -- David Talkington dtalk-ml@prairienet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCZmvp5FKhdwBLj4sRAlK4AKCUR/lg/VtZnMcIsRnaZ2pnEjffYwCghklp SYold53kPf7w8w/cGWsVsV0= =VHss -----END PGP SIGNATURE-----