Date: Wed, 5 Sep 2018 11:28:47 +0200 From: Ole <ole@free.de> To: freebsd-ipfw@freebsd.org Subject: ipfw managing rules - best practice? Message-ID: <20180905112847.54287198.ole@free.de>
next in thread | raw e-mail | index | archive | help
--Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd=3D"ipfw -q add" pif=3D"epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit = src-addr 50 I understand, that this connections get broken because the dynamic=20 rules get flushed with the `ipfw -q -f flush` command. But commenting=20 this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules.=20 Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbj6HSAAoJECWWkUao5JRQiIMP/37WvFpQ9crwboID59u6TgRU VVqUPjD7RugNV/kT8ZGh2H6+yY+UMFEUcW/jdOvDt4iVOncznAycLS+oqEJgfflz 89uOOhZKRrObk+wcmCWQOuK+UqAUvXarvqK/EXyGC3jDO+6xP9FxembotE296t0I kZ24W1U7tg5giJXcSWwsMbd67sswPOQ+0udaoVv9Jp+FT4NgAyHL+iGuRkKgZW9i Zuyb3/HIHA3+V+CQ+0AwHa3aeeXVqdDe78rddUrq9aXQ/GfzdXUGe65KCtYPMQty BEVu5X2oAv7MQ8dao7oxuOo+fydUahmHgxzwZJfYtHcUhbOpeMJGRviCeug8nK6g IxCLLuCrDp9yalNZFRiT6miEAHLDKcGIfvqtuGYi5zVrV/QcVjyGb/YGfak6M0MZ Cros8uHqzCEnRO51K2CdWVzoYReKo7ac+CjUhLZSEFIzWuHugp3IOE8CYytsIF5P gETfdL17uQFLjzFElZJDlt4A7EhvgY/n3RKkzx5pkm2wRZ9Ll36lnjNVkRgNeYCb yxLipxJeLWE8sVqa2cO2KGHXaUQwqkEhdIKHrTaEUZhOhwWckWn/Vq1RxWudk6IQ wXCn5/FGPA+NVSboujOdlxsJcO9upLjy5869UEHE0cjU7RhJr/uENRGRCR+Q51sC LiDX5xBLgM5M2bA289+7 =MAQm -----END PGP SIGNATURE----- --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180905112847.54287198.ole>