From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 31 16:55:32 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD427106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Mar 2010 16:55:32 +0000 (UTC)
	(envelope-from dan@slightlystrange.org)
Received: from catflap.slightlystrange.org
	(cpc2-cmbg1-0-0-cust385.cmbg.cable.ntl.com [82.21.105.130])
	by mx1.freebsd.org (Postfix) with ESMTP id 893E48FC16
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Mar 2010 16:55:32 +0000 (UTC)
Received: from dan by catflap.slightlystrange.org with local (Exim 4.71
	(FreeBSD)) (envelope-from <dan@slightlystrange.org>)
	id 1Nx1CV-000PIM-CS
	for freebsd-questions@freebsd.org; Wed, 31 Mar 2010 17:55:31 +0100
Date: Wed, 31 Mar 2010 17:55:31 +0100
From: Daniel Bye <freebsd-questions@slightlystrange.org>
To: freebsd-questions@freebsd.org
Message-ID: <20100331165531.GG9957@catflap.slightlystrange.org>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <201003311443.o2VEhrfs060752@dc.cis.okstate.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201003311443.o2VEhrfs060752@dc.cis.okstate.edu>
User-Agent: Mutt/1.4.2.3i
X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
X-Operating-System: FreeBSD 8.0-STABLE amd64
Sender: Daniel Bye <dan@slightlystrange.org>
Subject: Re: FreeBSD8.0 Firewall Script behaves much differently than 6.x
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel Bye <freebsd-questions@slightlystrange.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 16:55:32 -0000

On Wed, Mar 31, 2010 at 09:43:53AM -0500, Martin McCormick wrote:
> 	I have just answered part of my own question. If you
> background the process as in
> 
> sh /etc/rules.fw &
> 
> it works. You still get knocked off the remote connection but
> the backgrounded process continues to run without a controlling
> terminal and completes.
> 
> 	The only remaining part of the question is:
> 
> If one modifies the firewall rules and wants to make sure they
> are good, is there a more correct way to safely reload them from
> the script?

One possible approach might be to make a copy of your rules, edit that
and then do something like this in one session:

 # sleep 300 && sh /etc/rules.fw &

And load the new rules from the new file in another:

 # sh /etc/rules.fw.new &

Now, if you lock yourself out, you wait 5 minutes before the last,
presumably good, ruleset, gets reloaded and normality is restored. If
you don't get locked out, simply kill the sleep process (which is why
it's important to use && instead of ; between your commands), and move
the new ruleset to the original file name. 

Dan

-- 
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \