Enable ipfw without rebooting

[Achim Patzner]

>>> No.  Performing a reboot is a rather bad idea.
>>
>> Actually _loading kernel modules you haven't been using before_
>
> Lots of people have been using it before.

*You* actually means: You have to have don it yourself, on the  
machine you want to use it before anyone is putting it to serious  
tasks. Been there, watched it being done, got a cellar full of t- 
shirts...

> (Personally I prefer to compile it statically in the kernel, though.)

Agreed 8-).

> Apropos ideas:  Not having remote console access to a
> machine which is located at 800 km distance is (not only
> in my opinion) a stupid idea.  ;-)

That was not my attempt at being funny ("Oh - yes, I needed that  
connection on the KVM switch. Didn't I tell you?").

>>> A much better way would be a small "at" job that inserts
>>> an appropriate "allow" rule:
>>>
>>
>> Where's the advantage?
>
> A solution that doesn't require a reboot is always better,
> especially on production machines.

I prefer doing the reboot thing from time to time, having had quite a  
history of customers neither testing nor documenting changes in  
system configuration... It's reducing the number of surprises per  
boot considerably.

> This isn't Windows, after all.

Windows' "firewall" couldn't keep me outside either... The problem  
isn't FreeBSD, it's the idiots in front of it fumbling around with  
the pitchfork.

> For changing (and testing) rules, there's an even more
> elegant (and non-[qddisruptive) solution, see:
> /usr/share/examples/ipfw/change_rules.sh

As I said: It's not about changing the rules, it's about loading  
kernel modules that could aid you in serious in-the-knee-shooting.

> and you must change them very often.

"If people were permitted to change their underwear only after  
changing their password you could even smell the idiots from afar."


Achim