From owner-freebsd-questions@FreeBSD.ORG Fri May 30 17:55:00 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3A8486B7 for ; Fri, 30 May 2014 17:55:00 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 15B0F2FED for ; Fri, 30 May 2014 17:54:59 +0000 (UTC) Received: by be-well.ilk.org (Postfix, from userid 1147) id 1210133C48; Fri, 30 May 2014 13:54:58 -0400 (EDT) From: Lowell Gilbert To: John Case Subject: Re: Can I reset all existing network connections with ipfw ? References: Date: Fri, 30 May 2014 13:54:57 -0400 In-Reply-To: (John Case's message of "Fri, 30 May 2014 00:31:31 +0000 (UTC)") Message-ID: <44wqd3dudq.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2014 17:55:00 -0000 John Case writes: > Let's say i have a rule like this somewhere near the front of my ipfw > ruleset: > > > > ipfw add 10 allow tcp from any to any established > > > ... fairly standard ... get established connections through ipfw > quickly without sending them through the entire ruleset, which, > presumably, they've already passed through. > > Ok, but what if I boot without a ruleset, OR I flush the rules and > then re-apply them ... then there could be established tcp > connections, that will be passed by this rule, that might be > disallowed by the ruleset ... but they are allowed to continue because > they were established before I applied the ruleset. > > In this case, is there an ipfw command that I can run that resets, or > kills off, all established connections, and forces them to reconnect > now that the rules are in place ? I could probably 'ifconfig down' > the interface, but that seems like too much brute force ... is there a > nice way to do it ? > > I was thinking of 'tcpdrop' but there doesn't seem to be a 'tcpdrop > all' or equivalent command ... If I were worried about that regularly, I wouldn't have "established" in my ruleset to begin with. Keeping state would be more appropriate. I can't picture a use case where this would come up in practice.