Date: Fri, 30 May 2014 13:54:57 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: John Case <case@SDF.ORG> Cc: freebsd-questions@freebsd.org Subject: Re: Can I reset all existing network connections with ipfw ? Message-ID: <44wqd3dudq.fsf@be-well.ilk.org> In-Reply-To: <Pine.NEB.4.64.1405300024480.1532@faeroes.freeshell.org> (John Case's message of "Fri, 30 May 2014 00:31:31 %2B0000 (UTC)") References: <Pine.NEB.4.64.1405300024480.1532@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Case <case@SDF.ORG> writes: > Let's say i have a rule like this somewhere near the front of my ipfw > ruleset: > > > > ipfw add 10 allow tcp from any to any established > > > ... fairly standard ... get established connections through ipfw > quickly without sending them through the entire ruleset, which, > presumably, they've already passed through. > > Ok, but what if I boot without a ruleset, OR I flush the rules and > then re-apply them ... then there could be established tcp > connections, that will be passed by this rule, that might be > disallowed by the ruleset ... but they are allowed to continue because > they were established before I applied the ruleset. > > In this case, is there an ipfw command that I can run that resets, or > kills off, all established connections, and forces them to reconnect > now that the rules are in place ? I could probably 'ifconfig down' > the interface, but that seems like too much brute force ... is there a > nice way to do it ? > > I was thinking of 'tcpdrop' but there doesn't seem to be a 'tcpdrop > all' or equivalent command ... If I were worried about that regularly, I wouldn't have "established" in my ruleset to begin with. Keeping state would be more appropriate. I can't picture a use case where this would come up in practice.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44wqd3dudq.fsf>