Very Computer

    I'm using ssh to connect from my box (being in the intranet) to the box
that we are using as a router (natd) for our network. I changed the firewall
rules on the box acting as a router and I tried to reload the new ones by
giving on the command prompt of my ssh:  ipfw -f flush && sh
/etc/rc.firewall   &
        The problem is that I get disconnected and even if I try to connect
again, it is not possible!! I'm going upstairs (very far away..) to see what
is going on and I realize that while the rules were flushed , the second
part of my command to run /etc/rc.firewall was not executed (thus deny any
to any). I also made a file "firerestart" and I put inside:
flush -f flush
sh /etc/rc.firewall
I then tried to run in like firerestart &   but again the same. I cant
figure out why is it!!!
Note that when I run sh firerestart from the box-router's command prompt
everything is fine.

thx in advance

JN

--
Remove pig-latin to reply by e-mail

Quote:> You have to be very careful when reloading firewall rules remotely.  What
I
> do that usually works is put rules to allow my ssh connection(s) at the
top
> of my rules file, right after the flush statement.  Then I can usually run
> "ipfw -q /etc/ipfw.conf" without getting disconnected.  The -q is
important.
> Even this method is risky, though.  To be really sure that your new
ruleset
> gets loaded (and loaded completely) you should either reboot the machine
> (assuming the rules are loaded at startup) or write a script and call it
> using cron(8) or at(1).

> JN

2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
,even and on the console's prompt (not ssh's session) , but I ve got the
message:
            ipfw: error: bad arguments
            usage: ipfw [options]
            [pipe] flush
            add [number] rule
            [pipe] delete number ...
followed by 40 more lines explaining how I m supposed to run the ipfw. Note
that I made  rc.firewall  executable (chmod). Why do you think I can't run
it the command ipfw -q  /etc/rc.firewall ??

thanx in advance

<excerpt from my rules.fw file, invoked using ipfw -q  /etc/rules.fw & >

flush

#deny specific internal network stuff (RFC1918)
add deny log all from any to 172.16.0.0:255.240.0.0 via ed0
add deny log all from any to 10.0.0.0:255.0.0.0 via ed0
#add deny log all from any to 192.168.0.0:255.255.0.0 via ed0

#Other half of pipe stuff
add pipe 1 ip from 10.0.0.3 to any out xmit ed0

<end snip>

IE instead of adding rules to the firewall using $ipfw add blah blah u just
list the raw rules.

I also load my rules using this line in rc.conf if it helps at all :

<rc.conf>
firewall_enable="YES"
firewall_type="/etc/rules.fw"
firewall_quiet="YES"
<end snip>

Hope this helps

Quote:> > You have to be very careful when reloading firewall rules remotely.
What
> I
> > do that usually works is put rules to allow my ssh connection(s) at the
> top
> > of my rules file, right after the flush statement.  Then I can usually
run
> > "ipfw -q /etc/ipfw.conf" without getting disconnected.  The -q is
> important.
> > Even this method is risky, though.  To be really sure that your new
> ruleset
> > gets loaded (and loaded completely) you should either reboot the machine
> > (assuming the rules are loaded at startup) or write a script and call it
> > using cron(8) or at(1).

> > JN

> hmm...
> 1. I mentioned at my first post that when I was  running ipfw -f flush &&
> sh /etc/rc.firewall   &
> or   ./firerestart  &        through my ssh's session, I was running it at
> the background ( Note the &). That means that even if my ssh session was
to
> die (because of the new ipfw rules), killing the shell as well, the
command
> issued should run in the back, so run eventually. That means that I could
be
> able to ssh to the box later. The problem is that the command was never
> executed!! Does anybody has an answer to this??

> 2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
> ,even and on the console's prompt (not ssh's session) , but I ve got the
> message:
>             ipfw: error: bad arguments
>             usage: ipfw [options]
>             [pipe] flush
>             add [number] rule
>             [pipe] delete number ...
> followed by 40 more lines explaining how I m supposed to run the ipfw.
Note
> that I made  rc.firewall  executable (chmod). Why do you think I can't run
> it the command ipfw -q  /etc/rc.firewall ??

> thanx in advance

Quote:> 2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
> ,even and on the console's prompt (not ssh's session) , but I ve got the
> message:
>             ipfw: error: bad arguments
>             usage: ipfw [options]
>             [pipe] flush
>             add [number] rule
>             [pipe] delete number ...
> followed by 40 more lines explaining how I m supposed to run the ipfw.
> Note that I made  rc.firewall  executable (chmod). Why do you think I
> can't run it the command ipfw -q  /etc/rc.firewall ??

The other file (in my case /etc/ipfw.conf) is where all the fancy stuff
occurs.  It is not a script, but rather a rules file.  From the ipfw(8)
manpage:
  "To ease configuration, rules can be put into a file which is processed
using ipfw as shown in the first synopsis line.  An absolute pathname must
be used.  The file will be read line by line and applied as arguments to the
ipfw utility".

The other way to load rules (which seems to be what you are doing) is to
create a script that calls ipfw(8) for each rule.  An advantage to this
approach is that you can use the variables and control structures allowed by
your shell.  I prefer to use a rules file because for me it's less hassle
and seems more intuitive.

JN

--
Remove pig-latin to reply by e-mail

thx guys.

Quote:>         As far as why even when I was putting my command to run into the
> background , it was not executed, it was because bash, that I' m using,
> hasn't the nohup inbuilt. When I run nohup /etc/rc.firewall & I had no
> problems (thanks John).

So you run screen, then run the command as a normal foreground command,
.. if you disconnect (either intentionally or unitentionally), just come back
at any time, and reconnect.

--
Jamie Jones, Gower, South Wales, UK.   http://www.bishopston.com/jamie/
---- 96 days to Christmas!        Word of the day: "counterdifficulty"
----- "I'm not big, and I'm not clever - and I'm definitely not funny."
------- The valid reply address on this posting expires in 7 days time.