Date: Wed, 28 Sep 2005 13:35:50 +0200 From: Achim Patzner <ap@bnc.net> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Enable ipfw without rebooting Message-ID: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> In-Reply-To: <200509281104.j8SB45Bi044217@lurza.secnetix.de> References: <200509281104.j8SB45Bi044217@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 28.09.2005 um 13:04 schrieb Oliver Fromme:
>>> Try loading the IPFW KLD ("kldload ipfw").
>>
>> And remember - doing a "shutdown -r +10" before trying might be a
>> good idea - last time I did this I found out the hard way that the
>> kernel module was built with a default action of "deny all from any
>> to any".
>
> No. Performing a reboot is a rather bad idea.
Actually _loading kernel modules you haven't been using before_
without scheduling a reboot (which can be cancelled just as easily as
removing an at job) is (not only in my opinion) a stupid idea.
> A much better way would be a small "at" job that inserts
> an appropriate "allow" rule:
Where's the advantage? A reboot (on a well-maintained) machine should
get me back to the state it was before I started tinkering with
kernel modules. And shutdown is astonishingly resilient - if the
kernel didn't find a way to merrily spin around a lock in a place the
sun doesn't reach it usually works.
The same applies to other devices (e.g. Cisco routers), too. I'm a
Barbarian - why should I argue with ipfw if a battle axe would get
the same result more comfortably?
Achim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5>