Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Sep 2003 15:29:36 +0200
From:      =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To:        <freebsd-ipfw@freebsd.org>
Subject:   IPFW2, sets and dynamic rules.
Message-ID:  <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help 

Being a complete ipfw idiot, i hoped someone could clarify this to me.

I wrote a simple firewall script that uses dynamic rules (stateful =
rules).
It's basically like this (handwritten, real script is alot bigger);

=3D=3D=3D=3D=3D

ipfw set disable 1
ipfw -q delete set 1
ipfw set disable 1

ipfw add 100 set 1 check-state
ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0	// =
internet
ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0=09
ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1	// lan
ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1
ipfw add 105 set 1 allow ip from any to any

ipfw add 1000 set 1 deny ip from any to any

ipfw add 2000 set 1 allow ip from me to any keep-state
ipfw add 2001 set 1 deny ip from any to any

ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup =
keep-state
ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state
ipfw add 3002 set 1 deny ip from any to any

ipfw add 4000 set 1 allow ip from me to any keep-state
ipfw add 4001 set 1 deny ip from any to any

ipfw set swap 0 1

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

after the swap, the dynamic rules that were added when runnin on set 0 =
to begin with (same script).
does seem to work at first glance however if i add a rule at say 100 and =
shift all other rules down,=20
and re-run the script then what happens with the dynamic rules? the tcp =
connections break.

do the dynamic rules always point to the same set or do the point to the =
new set when i run swap?

do i need to enable set 1 afterwards to make it work? how is then the =
line of rule execution, when
two sets are enabled?=20

are there any ways to change the set 0 rules while still retaining the =
functionality of the old
dynamic rules?


- Sten

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F07DF31>