Date: Thu, 29 Sep 2005 19:25:54 +0200 From: Achim Patzner <ap@bnc.net> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Enable ipfw without rebooting Message-ID: <D8CBE5ED-B3A9-4B20-9C4F-A76A03668664@bnc.net> In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> References: <200509281224.j8SCOJUv047047@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> No. Performing a reboot is a rather bad idea.
>>
>> Actually _loading kernel modules you haven't been using before_
>
> Lots of people have been using it before.
*You* actually means: You have to have don it yourself, on the
machine you want to use it before anyone is putting it to serious
tasks. Been there, watched it being done, got a cellar full of t-
shirts...
> (Personally I prefer to compile it statically in the kernel, though.)
Agreed 8-).
> Apropos ideas: Not having remote console access to a
> machine which is located at 800 km distance is (not only
> in my opinion) a stupid idea. ;-)
That was not my attempt at being funny ("Oh - yes, I needed that
connection on the KVM switch. Didn't I tell you?").
>>> A much better way would be a small "at" job that inserts
>>> an appropriate "allow" rule:
>>>
>>
>> Where's the advantage?
>
> A solution that doesn't require a reboot is always better,
> especially on production machines.
I prefer doing the reboot thing from time to time, having had quite a
history of customers neither testing nor documenting changes in
system configuration... It's reducing the number of surprises per
boot considerably.
> This isn't Windows, after all.
Windows' "firewall" couldn't keep me outside either... The problem
isn't FreeBSD, it's the idiots in front of it fumbling around with
the pitchfork.
> For changing (and testing) rules, there's an even more
> elegant (and non-[qddisruptive) solution, see:
> /usr/share/examples/ipfw/change_rules.sh
As I said: It's not about changing the rules, it's about loading
kernel modules that could aid you in serious in-the-knee-shooting.
> and you must change them very often.
"If people were permitted to change their underwear only after
changing their password you could even smell the idiots from afar."
Achim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D8CBE5ED-B3A9-4B20-9C4F-A76A03668664>