Bug 27887

Summary: ipfw 'backup' option proposal
Product: Base System Reporter: avn <avn>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description avn 2001-06-05 07:50:01 UTC 
	Usage of ipfw on remote systems is often dangerous, and handbook
	explicitly warns about this. IMO it can be useful to have a 'backup'
	option to ipfw, which would restore previous ruleset in case that
	user locked himself out. It saves the ruleset, performs requested
	changes to ipfw and asks a user if he is still on-line. In case of
	disconnection, timeout of 15 seconds, or signal delivery, it restores
	previous ruleset. As for now, AFAIK, there is no interface to introduce
	dynamic rules directly, so it restores only static ruleset, and does
	not restore pipes too. But, it should be enough in most cases to
	allow user get back again.

	Patch below is against 4.3-STABLE, I was not able to test against
	-CURRENT for now, I will probably in a week.

How-To-Repeat: 	This is a change-request.
Comment 1 billf 2001-06-05 08:26:19 UTC 
On Tue, Jun 05, 2001 at 10:45:23AM +0400, avn@any.ru wrote:

> >Description:
> 	Usage of ipfw on remote systems is often dangerous, and handbook
> 	explicitly warns about this. IMO it can be useful to have a 'backup'
> 	option to ipfw, which would restore previous ruleset in case that
> 	user locked himself out. It saves the ruleset, performs requested
> 	changes to ipfw and asks a user if he is still on-line. In case of
> 	disconnection, timeout of 15 seconds, or signal delivery, it restores
> 	previous ruleset. As for now, AFAIK, there is no interface to introduce
> 	dynamic rules directly, so it restores only static ruleset, and does
> 	not restore pipes too. But, it should be enough in most cases to
> 	allow user get back again.


potential committers: don't commit this. I have a much more generic (atomic
changing of rulesets, recursive inclusing of rulesets) implementation that I
might finish one of these days...

in any case, doing this in ipfw(8) doesn't even seem like the right place
to pull this off..

-- 
Bill Fumerola - security yahoo         / Yahoo! inc.
              - fumerola@yahoo-inc.com / billf@FreeBSD.org
Comment 2 Will Andrews 2001-06-05 20:21:38 UTC 
On Tue, Jun 05, 2001 at 12:30:02AM -0700, Bill Fumerola (billf@mu.org) wrote:
>  potential committers: don't commit this. I have a much more generic (atomic
>  changing of rulesets, recursive inclusing of rulesets) implementation that I
>  might finish one of these days...
>  
>  in any case, doing this in ipfw(8) doesn't even seem like the right place
>  to pull this off..

Why don't you post what you've got so the submitter and others
can pitch in?  It doesn't have to be a one-man effort.

-- 
wca
Comment 3 avn 2001-06-15 18:10:37 UTC 
This PR can be closed.
A sample script was committed by des into share/examples/ipfw, which
implements the same functionality. billf's note has almost nothing
in common with this PR (though I'd be glad to have a look at announced
changes:) )
Comment 4 Peter Pentchev freebsd_committer freebsd_triage 2001-06-15 18:27:16 UTC 
State Changed
From-To: open->closed

Closed at originator's request: he likes DES's change_rules.sh script 
in /usr/share/examples/ipfw/