Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 1 Sep 2003 16:09:26 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Sten Daniel =?iso-8859-1?Q?S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW2, sets and dynamic rules.
Message-ID:  <20030901140925.GC396@FreeBSD.org>
In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>
References:  <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--IDYEmSnFhs3mNXr+
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.09.01 15:29:36 +0200, Sten Daniel S=F8rsdal wrote:

> are there any ways to change the set 0 rules while still retaining the
> functionality of the old dynamic rules?

As Luigi said when you delete a rule the coresponding dynamic rules a
deleted as well.

I use the following hack which allows one reload without deleting
running connections.  I basically move all the "old" rules to a disabled
set, so they still exist but aren't active.  That way the dynamic rules
aren't deleted.

    set_nospoof=3D"2"
    set_bandwidth=3D"3"
    set_std=3D"4"
    set_nitro=3D"5"
    set_bogon=3D"6"
    set_old=3D"30"
    # All the default active sets :
    sets_normal=3D"0 $set_nospoof $set_bandwidth $set_std $set_nitro $set_b=
ogon"

    # Clean old set
    ${fwcmd} delete set ${set_old}
    ${fwcmd} set enable ${set_old}

    # Move all rules to special set
    for s in $sets_normal; do
        ${fwcmd} set move ${s} to ${set_old}
    done

    # Disable normal sets so we can safely add to them
    ${fwcmd} set disable $sets_normal

    ${fwcmd} add set ${set_std} reset tcp from any to any 113

# A lot of other rules

    # Now we switch to the new sets
    ${fwcmd} set disable ${set_old} enable ${sets_normal}

Note that this just copy/pasted from my firewall script, but you should
get the idea.

This is not pretty, but it works.

--=20
Simon L. Nielsen
FreeBSD Documentation Team

--IDYEmSnFhs3mNXr+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/U1MVh9pcDSc1mlERAoocAJ4mJY5fL3fsl727E31sathv6L/dQgCglN2S
3EM9cZvWiF/LDaODdHso0wA=
=EATq
-----END PGP SIGNATURE-----

--IDYEmSnFhs3mNXr+--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030901140925.GC396>