IPFW: combining "divert natd" with "keep-state"
Andrew McNaughton
andrew at scoop.co.nz
Mon Jun 23 18:21:14 PDT 2003
On Mon, 23 Jun 2003, Matthew George wrote:
> On Fri, 20 Jun 2003, Michael Collette wrote:
>
> > BTW, is there a way to give certain IPs permissions to reloading
> > IPFW's rules? There's some stuff I'd like to be able to admin
> > remotely. Darn box won't let me reload rules, but it will let me
> > reboot. I've done this quite a bit in the past to force new rules to
> > load. I was rather hoping there was a more elegant solution to this.
> if you have 'flush' at the top of your ruleset, you can (sometimes) get
> away with an `ipfw -q`. I find screen windows (ports/misc/screen) to be
> most effective, though ... even if the connection dies, the screen will
> detach and continue processing the rules file.
nohup sh /etc/rc.firewall CONFIG &
It leaves the nohup.out file lying around which can be useful or annoying.
nohup is otherwise a tidy approach to processes you don't want to be
dependent on the terminal.
This one with the firewall script output is a longstanding issue though.
I wonder if the script could detect use of a remote tty and behave better.
Maybe it could direct its output to a temp file while changing rules, then
cat the output file and remove it when done changing rules.
Andrew McNaughton
--
No added Sugar. Not tested on animals. If irritation occurs,
discontinue use.
-------------------------------------------------------------------
Andrew McNaughton In Sydney
Working on a Product Recommender System
andrew at scoop.co.nz
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
More information about the freebsd-security
mailing list