IPFW Can you use change_rules.sh without tmux?

[AndAlooongCameFreeBSD]

I stumbled upon recommendations to use /usr/share/examples/ipfw/change_rules.sh quite often and ipfw(8)'s manual page mentions the script as well.

I always SSH into my server as a normal user and su to the root user and then tried the script a few times over a few months. It never worked as intended. The SSH connection became unresponsive and due to inexperience I just thought the script is old and broken and I didn't bother as my server is colocated with my washing machine in the basement and I could quickly correct my firewalling mistakes.

Anyway, thanks to this forum my skill level has increased and now I know why the script didn't work for me and today I used
tmux to keep the session alive and thus the script running and it worked beautifully.

So my question is: how is change_rules.sh supposed to keep running without tmux or something similar? SSH always becomes unresponsive when I change firewall rules, resulting in the session (including change_rules.sh) being terminated. Am I doing things differently as everyone else?

 

[mikhail1]

Not a direct answer to your question but perhaps an alternative solution.

My ssh sesions do not get disconnected on loading new rules as:
* From the IPFW man page:
net.inet.ip.fw.default_to_accept: 0
Defines ipfw last rule behavior. This value overrides options IPFW_DEFAULT_TO_(ACCEPT|DENY) from kernel configuration file.
I set this to: net.inet.ip.fw.default_to_accept=1
So that for any rule relinked to the default rule the action is 'accept'.
* From the IPFW man page:
net.inet.ip.fw.dyn_keep_states: 0
Keep dynamic states on rule/set deletion. States are relinked to default rule (65535). This can be handly for ruleset reload. Turned off by default.
I set this to: net.inet.ip.fw.dyn_keep_states=1

 

[dkh]

What happens is dependent on your rule set. For example, if you are using stateful rules for your ssh connections and you don't take steps to preserve the dynamic rules that your connection is running under it will be invalidated (deleted) when you reload ipfw.

Even if you are using static rules (ie always allowing port 22 from your local subnet) and have the default to denied enabled (which you should have) you will break the connection when you send output to the terminal when the connection is momentarily disrupted.

The simplest way around that is to make sure the script you are using to restart and reload the rules doesn't output anything to terminal until it completes.

For example, you could do something like: nohup ipfw.start.sh > ipfw.rpt 2>&1 &

In this case ipfw.start.sh is local script I wrote. You can check the contents of ipfw.rpt to see if everything went ok.