I have my firewall set to default drop everything.
When I run the sh ipfw over a ssh session, I always lose the ssh connection,
and the firewall is not updated but only erased.
The /sbin/ipfw -q -f flush is done, but not the "ipfw add..." that follows
it.
I was hoping that the script would be run at least.
I am having a firewall/gateway on a computer with no monitor, and can only
SSH to it to control it.
How can I maintain the firewall remotely?
Any suggestion is highly appreciated.
Thanks
/Bengt
bt> I have my firewall set to default drop everything.
bt> When I run the sh ipfw over a ssh session, I always lose the ssh connection,
bt> and the firewall is not updated but only erased.
The problem (I think) is that ipfw is trying to tell you what it is
doing as it goes along, which means ssh tries to send text to you,
hits a partially configured firewall and dies.
What you need to do is make sure you can do the whole thing in one
command, eg by writing a little script even if you are only doing a
couple of commands.
Then you have to make sure you don't get any output until it is all
done.
firewall$ sh -x do_firewall_stuff.sh >TRACE 2>&1
firewall$ less TRACE
--
Mail me as MYFIR...@MYLASTNAME.org.uk _O_
|<
Did not work...
I created a small script as below
#!/bin/sh
sh /etc/ipfw.rules.conf >/tmp/new_ipfw.log 2>&1
The ipfw.rules.conf is as below
/sbin/ipfw -q -f flush
fwcmd="/sbin/ipfw -q add"
${fwcmd} 100 allow all from any to any via lo0
${fwcmd} 101 deny all from any to 127.0.0.0/8
The log file (/tmp/new_ipfw.log) is empty.
The 100 rule have been set, but not 101.
I got locked out again from my SSH session, and had to re-connect the
monitor and do it manually.
Hmm...
/Bengt
"Richard Caley" <MYFIR...@MYLASTNAME.org.uk> wrote in message
news:87bs6j3...@bast.r.caley.org.uk...
bt> /sbin/ipfw -q -f flush
bt> fwcmd="/sbin/ipfw -q add"
bt> ${fwcmd} 100 allow all from any to any via lo0
bt> ${fwcmd} 101 deny all from any to 127.0.0.0/8
bt> The log file (/tmp/new_ipfw.log) is empty.
bt> The 100 rule have been set, but not 101.
Hm.
I can see why the connection is broken, you haven't allowed it, but
not why rule 101 didn't get inserted.
You could try adding an explicit rule right at the top to say that
your ssh can work
${fwcmd} 10 alow all from any to any via INTERNALINTERFACE
even if that is not what you want eventually, just to see if it
actually is the ssh bein blocked which is causing the script to
abort.
Also remove the -q and run /etc/ipfw.rules.conf with sh -x (so you get
something in the log file and can see exactly at what point it stops).
Other than that I am stuck.
Just as a check, I just did
sh -x /etc/rc.firewall.local >TRACE 2>&1
on my firewall over ssh and it is happy, so it's not that it has
become impossible since last time I was doing it regularly.
One thing you could try is to put
firewall_type="open"
into /etc/rc.conf and then run
sh -x /etc/rc.firewall >TRACE 2>&1
which should put in place the standard completely open firewall. If
you can do that remotely, then at least you can be sure that it is
something about your rules, rather than anything else in how the
system is set up.
I tried with adding a rule directly to allow everything from my local
interface, but that did not help.
Hope it will stay working like this....
/Bengt
"Richard Caley" <MYFIR...@MYLASTNAME.org.uk> wrote in message
news:87znu31...@bast.r.caley.org.uk...
bt> I have done some more testing now, and it seems like I have to run it in the
bt> background
bt> and even if I do this, then I will lose the connection. But I can at least
bt> log straight back in again.
Sounds like something (probably your shell) is producing output when a
command is started. Since the firewall script's output was all
redirected, it can't have come from there.
You don't have something which outputs the PID for foreground commands
or the time or anything? What shell (I was using bash).
bt> Hope it will stay working like this....
They should put that on a T shirt as the universal computer geek moto.
Nah. The universal computer geek motto is: "This time it will surely work!"
--
Ng Pheng Siong <ng...@netmemetic.com> * http://www.netmemetic.com
> I have my firewall set to default drop everything.
> When I run the sh ipfw over a ssh session, I always lose the ssh connection,
> and the firewall is not updated but only erased.
As other people seem to have suggested a few solutions to your problem,
here is another one (which I personally use most): man at(1).
Schedule your firewall reload via at, possibly with an fallback
to the current rules after another 5 minutes or so (which you prevent
from being executed after you login with the fresh rules in place).
This way you even get the output via email ;)
Hope this helps,
Thomas