From owner-freebsd-ipfw@freebsd.org Wed Sep 5 09:29:00 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4497FE9FB0 for ; Wed, 5 Sep 2018 09:28:59 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 859637946A for ; Wed, 5 Sep 2018 09:28:58 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x5ce426da.dyn.telefonica.de [92.228.38.218]) by smtp.free.de (Postfix) with ESMTPSA id 5662DE4E1 for ; Wed, 5 Sep 2018 11:28:51 +0200 (CEST) Date: Wed, 5 Sep 2018 11:28:47 +0200 From: Ole To: freebsd-ipfw@freebsd.org Subject: ipfw managing rules - best practice? Message-ID: <20180905112847.54287198.ole@free.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/2.6TSSq+3cx3XH1i_O6k5Gc"; protocol="application/pgp-signature" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 09:29:00 -0000 --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd=3D"ipfw -q add" pif=3D"epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit = src-addr 50 I understand, that this connections get broken because the dynamic=20 rules get flushed with the `ipfw -q -f flush` command. But commenting=20 this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules.=20 Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbj6HSAAoJECWWkUao5JRQiIMP/37WvFpQ9crwboID59u6TgRU VVqUPjD7RugNV/kT8ZGh2H6+yY+UMFEUcW/jdOvDt4iVOncznAycLS+oqEJgfflz 89uOOhZKRrObk+wcmCWQOuK+UqAUvXarvqK/EXyGC3jDO+6xP9FxembotE296t0I kZ24W1U7tg5giJXcSWwsMbd67sswPOQ+0udaoVv9Jp+FT4NgAyHL+iGuRkKgZW9i Zuyb3/HIHA3+V+CQ+0AwHa3aeeXVqdDe78rddUrq9aXQ/GfzdXUGe65KCtYPMQty BEVu5X2oAv7MQ8dao7oxuOo+fydUahmHgxzwZJfYtHcUhbOpeMJGRviCeug8nK6g IxCLLuCrDp9yalNZFRiT6miEAHLDKcGIfvqtuGYi5zVrV/QcVjyGb/YGfak6M0MZ Cros8uHqzCEnRO51K2CdWVzoYReKo7ac+CjUhLZSEFIzWuHugp3IOE8CYytsIF5P gETfdL17uQFLjzFElZJDlt4A7EhvgY/n3RKkzx5pkm2wRZ9Ll36lnjNVkRgNeYCb yxLipxJeLWE8sVqa2cO2KGHXaUQwqkEhdIKHrTaEUZhOhwWckWn/Vq1RxWudk6IQ wXCn5/FGPA+NVSboujOdlxsJcO9upLjy5869UEHE0cjU7RhJr/uENRGRCR+Q51sC LiDX5xBLgM5M2bA289+7 =MAQm -----END PGP SIGNATURE----- --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc--