Date: Wed, 20 Apr 2005 07:49:06 -0700 (PDT) From: dtalk-ml@prairienet.org To: Aristedes Maniatis <ari@ish.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: Remote firewall changes, Was: Newbie Question About System Update Message-ID: <20050420074451.A16632@atlantis.flyingjoke.org> In-Reply-To: <52607941c4729226852cde5d42f7085e@ish.com.au> References: <426447F8.5090209@charter.net> <200504191317.j3JDH76H001458@drjekyll.mkbuelow.net> <42655B8E.5020603@mac.com> <20050419200510.GA38661@uws1.starlofashions.com> <52607941c4729226852cde5d42f7085e@ish.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aristedes Maniatis wrote: >> Ok, everyone who has NEVER ever made that mistake (or locked themself >> out with a firewall rule, accidentally putting it into effect before >> testing) raise their hand. :) > > Yes, that would be me. But someone taught me a great trick...the "at" command. > So, just before you blow away your access with changes to ipfw, do this: > > echo "ipfw add 1 pass all from any to any" at now +10 minutes > > Then if all goes OK, use atq to remove the queue item. If not, wait 10 > minutes... Why not just include an allow rule for a handful of management addresses in set 31? That's been pretty close to idiot-proof for me, and has definitely saved my bacon. - -- David Talkington dtalk-ml@prairienet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCZmvp5FKhdwBLj4sRAlK4AKCUR/lg/VtZnMcIsRnaZ2pnEjffYwCghklp SYold53kPf7w8w/cGWsVsV0= =VHss -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050420074451.A16632>