From owner-freebsd-questions@FreeBSD.ORG Wed Mar 31 15:30:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDB1B1065670 for ; Wed, 31 Mar 2010 15:30:12 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail4.sea5.speakeasy.net (mail4.sea5.speakeasy.net [69.17.117.6]) by mx1.freebsd.org (Postfix) with ESMTP id C7A2B8FC0C for ; Wed, 31 Mar 2010 15:30:12 +0000 (UTC) Received: (qmail 31337 invoked from network); 31 Mar 2010 15:30:12 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 31 Mar 2010 15:30:12 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 284355084B; Wed, 31 Mar 2010 11:30:11 -0400 (EDT) From: Lowell Gilbert To: Martin McCormick References: <201003311411.o2VEBWwK091324@dc.cis.okstate.edu> Date: Wed, 31 Mar 2010 11:30:10 -0400 In-Reply-To: <201003311411.o2VEBWwK091324@dc.cis.okstate.edu> (Martin McCormick's message of "Wed, 31 Mar 2010 09:11:32 -0500") Message-ID: <44eij01pbx.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD8.0 Firewall Script behaves much differently than 6.x X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2010 15:30:13 -0000 Martin McCormick writes: > Is there a proper way to reset firewall rules in > FreeBSD8.0 ? I just discovered that if one is remotely logged > in and makes a change in the firewall rules, it is a disastor to > do something like > > sh /etc/[firewall_rules_script] > > One could do that in FreeBSD6.x. When the rules flushed, > you lost your connection, but the script continued to execute > and the new rules were in effect immediately. Trying this same > reload in FreeBSD8.0, I knew something was horribly wrong when > everything just locked up. I logged on to a local console and ran > > ipfw list > > It had stopped right after the flush. > > Doing the same command from a local or even a serial > console works fine and the new rules are installed. > > Thanks and maybe I have been using the wrong technique > for reloading firewall rules all along. This situation has always existed. See the note for "-q" in the ipfw(8) manual and note the firewall_quiet variable in the default rc.firewall script. The most widely recommended approach is to run the script in a screen(1) (or similar) session. Even just redirecting the output is enough to let the script run through while still keeping any potential error information -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/