Enable ipfw without rebooting
Oliver Fromme
olli at lurza.secnetix.de
Fri Sep 30 06:58:42 PDT 2005
Achim Patzner <ap at bnc.net> wrote:
>
> > > > No. Performing a reboot is a rather bad idea.
> > >
> > > Actually _loading kernel modules you haven't been using before_
> >
> > Lots of people have been using it before.
>
> *You* actually means: You have to have don it yourself, on the
> machine you want to use it before anyone is putting it to serious
> tasks. Been there, watched it being done, got a cellar full of t-
> shirts...
It's not completely clear to me what _you_ mean.
Anyway, there are three cases for "kldload ipfw":
1. It just works. Then you can just remove the at(1) job
or kill the shutdown(8) process. The former is usually
less risky, because it's not a tragedy if you don't
do it in time. (Apart form that, at(1) job numbers are
usually much smaller than PIDs, thus easier to type and
less error-prone.)
2. The kernel module loads fine, but you lock yourself out
because of the default deny rule. The proposed at(1)
job will help you in that case. Of course, a reboot
helps, too, but -- it's a reboot. No sane person wants
a reboot when there's a much less destructive way to
solve a problem.
3. The machine crashes (panic, freeze, whatever). Neither
an at(1) job nor a shutdown(8) will help in this case.
Depending on the kernel configuration, the machine will
reboot automatically in either case when a panic occurs.
And by the way: at(1) jobs survive reboots. So if you
happen to have broken rules in you ipfw.conf which are
loaded upon a reboot, the at(1) job will still save
your ass. Shutdown(8) will not.
> > For changing (and testing) rules, there's an even more
> > elegant (and non-disruptive) solution, see:
> > /usr/share/examples/ipfw/change_rules.sh
>
> As I said: It's not about changing the rules, it's about loading
> kernel modules that could aid you in serious in-the-knee-shooting.
It's exactly the same thing. When changing the rules, the
same three cases can happen which I enumerated above: It
works, or it locks you out because of the rules, or the
machine crashes. (Although -- hopefully -- the crash case
should be rather unlikely.)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"Python tricks" is a tough one, cuz the language is so clean. E.g.,
C makes an art of confusing pointers with arrays and strings, which
leads to lotsa neat pointer tricks; APL mistakes everything for an
array, leading to neat one-liners; and Perl confuses everything
period, making each line a joyous adventure <wink>.
-- Tim Peters
More information about the freebsd-ipfw
mailing list