Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Sep 2018 11:28:47 +0200
From:      Ole <ole@free.de>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw managing rules - best practice?
Message-ID:  <20180905112847.54287198.ole@free.de>

Next in thread | Raw E-Mail | Index | Archive | Help
--Sig_/2.6TSSq+3cx3XH1i_O6k5Gc
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hi,

I'm using ipfw firewall on several machines. Rules are made by users by
hand or by configuration management tools.

For this the ipfw.rules script sources other files:

#!/bin/sh

ipfw -q -f flush
cmd=3D"ipfw -q add"
pif=3D"epair0b"     # interface name of NIC attached to Internet
$cmd 00010 allow all from any to any via lo0
for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
  . $RULES
done
$cmd 09999 deny log all from any to any

If a user or a script alters a file, `service ipfw restart` is called.
This is working fine except one thing. Active connections like sql,
syslog, ssh, etc. get broken. They are defined like

$cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit =
src-addr 50

I understand, that this connections get broken because the dynamic=20
rules get flushed with the `ipfw -q -f flush` command. But commenting=20
this command out results in a continuously growing rules table.

With the `ipfw -d list` command I can see the dynamic rules.=20
Is there a way to flush the rules but not the dynamic ones?
Or to add them again after flush?

How do you reload your rules?

Thanks for help
Ole

--Sig_/2.6TSSq+3cx3XH1i_O6k5Gc
Content-Type: application/pgp-signature
Content-Description: Digitale Signatur von OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJbj6HSAAoJECWWkUao5JRQiIMP/37WvFpQ9crwboID59u6TgRU
VVqUPjD7RugNV/kT8ZGh2H6+yY+UMFEUcW/jdOvDt4iVOncznAycLS+oqEJgfflz
89uOOhZKRrObk+wcmCWQOuK+UqAUvXarvqK/EXyGC3jDO+6xP9FxembotE296t0I
kZ24W1U7tg5giJXcSWwsMbd67sswPOQ+0udaoVv9Jp+FT4NgAyHL+iGuRkKgZW9i
Zuyb3/HIHA3+V+CQ+0AwHa3aeeXVqdDe78rddUrq9aXQ/GfzdXUGe65KCtYPMQty
BEVu5X2oAv7MQ8dao7oxuOo+fydUahmHgxzwZJfYtHcUhbOpeMJGRviCeug8nK6g
IxCLLuCrDp9yalNZFRiT6miEAHLDKcGIfvqtuGYi5zVrV/QcVjyGb/YGfak6M0MZ
Cros8uHqzCEnRO51K2CdWVzoYReKo7ac+CjUhLZSEFIzWuHugp3IOE8CYytsIF5P
gETfdL17uQFLjzFElZJDlt4A7EhvgY/n3RKkzx5pkm2wRZ9Ll36lnjNVkRgNeYCb
yxLipxJeLWE8sVqa2cO2KGHXaUQwqkEhdIKHrTaEUZhOhwWckWn/Vq1RxWudk6IQ
wXCn5/FGPA+NVSboujOdlxsJcO9upLjy5869UEHE0cjU7RhJr/uENRGRCR+Q51sC
LiDX5xBLgM5M2bA289+7
=MAQm
-----END PGP SIGNATURE-----

--Sig_/2.6TSSq+3cx3XH1i_O6k5Gc--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20180905112847.54287198.ole>