From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:17:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0CBA16A4CE for ; Fri, 29 Apr 2005 12:17:50 +0000 (GMT) Received: from secnap2.secnap.com (secnap2.secnap.net [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB99843D2F for ; Fri, 29 Apr 2005 12:17:49 +0000 (GMT) (envelope-from scheidell@secnap.net) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Fri, 29 Apr 2005 08:17:48 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW disconnections and resets Thread-Index: AcVMoKVL+fqz71hCTAajEx7YdA/DUQAFE45w From: "Michael Scheidell" To: "Neo-Vortex" , "Siddhartha Jain" X-Mailman-Approved-At: Fri, 29 Apr 2005 13:31:58 +0000 cc: freebsd-security@freebsd.org Subject: RE: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:17:50 -0000 >=20 > I use that all the time, maybe 1 out of 100 times it will kill=20 > a ssh session (only one that has irssi open cause of the time=20 > updating it kills it, i have it set to update every second=20 > though, so normally it'd be like 1 out of 500 or so) and even=20 > if it does, it still finishes loading the ruleset anyway so=20 > you can just ssh straight back in I used=20 sysctl -a net.inet.ip.fw.enable=3D0 && firewall.sh && net.inet.ip.fw.enable=3D1 && sleep 60 && reboot and I would hit a ^c to stop the sleep and reboot if I didn't wack the firewall rules. The reboot would put it back to rc.conf firewall Never got disconnected. Only window of vulnerability was while loading new firewall rules. Yours is safer.