From ast@icon.iconomic.com  Sat Jun 13 10:56:14 1998
Received: from coyote.instrumatic.ch (coyote.instrumatic.ch [195.226.4.148])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15703
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 13 Jun 1998 10:56:10 -0700 (PDT)
          (envelope-from ast@icon.iconomic.com)
Received: (from root@localhost)
	by coyote.instrumatic.ch (8.8.7/8.8.7/ast-971024) with UUCP id TAA24061
	for FreeBSD-gnats-submit@freebsd.org; Sat, 13 Jun 1998 19:56:04 +0200 (MET DST)
Received: (from ast@localhost)
	by icon.iconomic.com (8.8.8/8.8.8) id TAA13514;
	Sat, 13 Jun 1998 19:51:39 +0200 (MEST)
	(envelope-from ast)
Message-Id: <199806131751.TAA13514@icon.iconomic.com>
Date: Sat, 13 Jun 1998 19:51:39 +0200 (MEST)
From: Adrian Steinmann <ast@iconomic.com>
Reply-To: ast@iconomic.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: submission: routines in /etc/rc.firewall to make it failsafe
X-Send-Pr-Version: 3.2

>Number:         6937
>Category:       bin
>Synopsis:       [PATCH] rc.firewall can't be run from network - fix
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 13 11:00:01 PDT 1998
>Closed-Date:    Fri Jun 4 07:37:43 PDT 1999
>Last-Modified:  Fri Jun  4 07:40:23 PDT 1999
>Originator:     Adrian Steinmann
>Release:        FreeBSD 2.2.6-RELEASE i386
>Organization:
Steinmann Consulting
>Environment:

System running IPFW and /etc/rc.firewall

>Description:

The file /etc/rc.firewall reloads the ipfw rules but may not complete
if it is started on a network connection.

>How-To-Repeat:

Run sh /etc/rc.firewall on a network connection, if /etc/rc.firewall
is sufficientlyu complex, you will lose your connection and may not
be able to contact the machine again until /etc/rc.firewall is run
completely.

>Fix:
	

I have been using this additional code in /etc/rc.firewall with
good results: if, by chance, you run sh /etc/rc.firewall on a pty
via the network, you will albeit lose your session but the script
will finish completely and (unless you made changes which are faulty)
you will be able to log back in agains (because it ignores the HUP
signal).  It also takes down and brings up all interfaces, making
any ongoing connections cut cleaner (and usually continue) than
when the rules are loaded while the interfaces are up. The real
paranoid might also argue this way there is no window where the
interfaces are up and the FW rules are incomplete...

Could we put this into the distributed /etc/rc.firewall?


...
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
...

# routine to set interfaces down and up
interfaces ()
{
    case "x$1" in
	xup|xdown)
	    ifconfig -a | sed -n -e '/BROADCAST,/ s/:.*//p' | \
		while read i; do ifconfig $i $1; done
	    ;;
	*)
	    echo "USAGE: interfaces [up|down]" >&2
	    ;;
    esac
}

############
# START
trap '' 1
interfaces down

... all the ipfw rules ...

############
# DONE
interfaces up

Adrian
_________________________________________________________________________
Dr. Adrian Steinmann  Steinmann Consulting  Apollostrasse 21  8032 Zurich
   Tel +41 1 380 30 83     Fax +41 1 380 30 85    Mailto:ast@marabu.ch
>Release-Note:
>Audit-Trail:

From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
To: ast@iconomic.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/6937: submission: routines in /etc/rc.firewall to make it failsafe 
Date: Sat, 13 Jun 1998 12:04:46 -0700

 > Could we put this into the distributed /etc/rc.firewall?
 
 I find your intentions here somewhat hard to follow, however.  Could
 you please resubmit your changes as context or unidiffs to the distributed
 rc.firewall?  Thanks!
 

From: Adrian Steinmann <ast@marabu.ch>
To: freebsd-gnats-submit@freebsd.org, ast@iconomic.com
Subject: Re: Problem Report bin/6937
Date: Fri, 26 Jun 98 14:25:39 +0200

subject=Re: bin/6937: rc.firewall can't be run from network - fix

This is the patch relative to the current rc.firewall

*** rc.firewall-        Fri Jun 26 14:00:34 1998
--- rc.firewall Fri Jun 26 14:00:06 1998
***************
*** 53,58 ****
--- 53,91 ----
        fwcmd="/sbin/ipfw"
  fi

+ # routine to set interfaces down and up
+ interfaces ()
+ {
+     sed="/usr/bin/sed"; fgrep="/usr/bin/fgrep"; ifconfig="/sbin/ifconfig"
+     if [ "x$firewall_quiet" = "xYES" ]; then
+       ifcreport=":"
+     else
+       ifcreport="$ifconfig"
+     fi
+     case "x$1" in
+       xup)
+           for i in `$ifconfig -ad | $sed -ne 's/: .*//p'`; do
+               $ifconfig $i | $fgrep -qs inet 2> /dev/null &&
+                       ( $ifconfig $i up && $ifcreport $i )
+           done
+           ;;
+       xdown)
+           for i in `$ifconfig -au | $sed -ne 's/: .*//p'`; do
+               $ifconfig $i | $fgrep -qs inet 2> /dev/null &&
+                       ( $ifconfig $i down && $ifcreport $i )
+           done
+           ;;
+       *)
+           echo "USAGE: interfaces [up|down]" >&2
+           ;;
+     esac
+ }
+
+ ############
+ # START
+ trap '' 1
+ interfaces down
+
  ############
  # Flush out the list before we begin.
  $fwcmd -f flush
***************
*** 186,188 ****
--- 219,224 ----
  elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
        $fwcmd ${firewall_type}
  fi
+ ############
+ # DONE
+ interfaces up

Adrian
_________________________________________________________________________
Dr. Adrian Steinmann  Steinmann Consulting  Apollostrasse 21  8032 Zurich
   Tel +41 1 380 30 83     Fax +41 1 380 30 85    Mailto:ast@marabu.ch

State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Jun 4 07:37:43 PDT 1999 
State-Changed-Why:  
It could be done from network, for example: 
# sh /etc/rc.firewall >/dev/null 2>&1 
Refer to the ``BUGS'' section of ipfw(8) manpage. 
>Unformatted:
