# Why I could not execute a Ipfw script remotely



## goldenfire (Jan 22, 2010)

Below is my Ipfw script. I could execute it from console directly and let other hosts inside the same local network access this host.


```
#!/bin/sh

ipfw -f flush

ipfw add 00100 allow ip from any to any via lo0
#ipfw add 00200 deny ip from any to 127.0.0.0/8
#ipfw add 00300 deny ip from 127.0.0.0/8 to any

ipfw add 00400 allow ip from me to any keep-state

ipfw add 00500 allow tcp from any to any 25 in

#private IP
ipfw add 01000 allow ip from 192.168.2.0/24 to any

ipfw add 00200 deny ip from any to 127.0.0.0/8
ipfw add 00300 deny ip from 127.0.0.0/8 to any
```

But when I try to execute this script from a ssh login with putty, all of other hosts are blocked out of this host. 
Of course, I still could login at the console.
And I got result as below.

```
ns# ipfw list
00100 allow ip from any to any via lo0
65535 deny ip from any to any
```

It looks like that only the first rule has been added.
Why the whole script could not run to the end?


----------



## BobBilly5 (Jan 22, 2010)

When you run that script, it flushes all rules.
With ipfw the default rule is '65535 deny ip from any to any' so immediately your connection is cut off and that script is killed - Hence no more commands are run.

You can try running 'sh /etc/rc.firewall > /dev/null ; sleep 3'

That way you have no IO going on after you issue that command and your ssh session should be able to stay connected.

or 

as I've done many times, use watch(8) and connect to local console, run that script, that way if your ssh session gets kicked, the console is still up and the script finishes.  [ watch -W v4 ] or v0,v1,v2,etc.


----------



## goldenfire (Jan 22, 2010)

BobBilly5 said:
			
		

> When you run that script, it flushes all rules.
> With ipfw the default rule is '65535 deny ip from any to any' so immediately your connection is cut off and that script is killed - Hence no more commands are run.
> 
> You can try running 'sh /etc/rc.firewall > /dev/null ; sleep 3'
> ...



Thank you very much. If I knew you earlier, I would not make such a mistake that a server inside datacenter was down , only because I forgot to input editor cmd and only input the script file name. Unfortunately I used full path of that file.
I only know we could not run that script remotely before, but I do not understand the reason.  
I still do not understand you excellent techniques enough.
But I am happy there is still so many things I do not know at all.

Thanks a lot!


----------

