Date: Mon, 1 Sep 2003 16:09:26 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Sten Daniel =?iso-8859-1?Q?S=F8rsdal?= <sten.daniel.sorsdal@wan.no> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2, sets and dynamic rules. Message-ID: <20030901140925.GC396@FreeBSD.org> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--IDYEmSnFhs3mNXr+ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.09.01 15:29:36 +0200, Sten Daniel S=F8rsdal wrote: > are there any ways to change the set 0 rules while still retaining the > functionality of the old dynamic rules? As Luigi said when you delete a rule the coresponding dynamic rules a deleted as well. I use the following hack which allows one reload without deleting running connections. I basically move all the "old" rules to a disabled set, so they still exist but aren't active. That way the dynamic rules aren't deleted. set_nospoof=3D"2" set_bandwidth=3D"3" set_std=3D"4" set_nitro=3D"5" set_bogon=3D"6" set_old=3D"30" # All the default active sets : sets_normal=3D"0 $set_nospoof $set_bandwidth $set_std $set_nitro $set_b= ogon" # Clean old set ${fwcmd} delete set ${set_old} ${fwcmd} set enable ${set_old} # Move all rules to special set for s in $sets_normal; do ${fwcmd} set move ${s} to ${set_old} done # Disable normal sets so we can safely add to them ${fwcmd} set disable $sets_normal ${fwcmd} add set ${set_std} reset tcp from any to any 113 # A lot of other rules # Now we switch to the new sets ${fwcmd} set disable ${set_old} enable ${sets_normal} Note that this just copy/pasted from my firewall script, but you should get the idea. This is not pretty, but it works. --=20 Simon L. Nielsen FreeBSD Documentation Team --IDYEmSnFhs3mNXr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/U1MVh9pcDSc1mlERAoocAJ4mJY5fL3fsl727E31sathv6L/dQgCglN2S 3EM9cZvWiF/LDaODdHso0wA= =EATq -----END PGP SIGNATURE----- --IDYEmSnFhs3mNXr+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030901140925.GC396>