From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 06:32:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AAB516A4BF for ; Mon, 1 Sep 2003 06:32:15 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F8F44005 for ; Mon, 1 Sep 2003 06:32:13 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 1 Sep 2003 15:29:36 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW2, sets and dynamic rules. Thread-Index: AcNwjWH80Y/wEWgcTiOihCS6ZKFkfg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 13:32:15 -0000 Being a complete ipfw idiot, i hoped someone could clarify this to me. I wrote a simple firewall script that uses dynamic rules (stateful = rules). It's basically like this (handwritten, real script is alot bigger); =3D=3D=3D=3D=3D ipfw set disable 1 ipfw -q delete set 1 ipfw set disable 1 ipfw add 100 set 1 check-state ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0 // = internet ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0=09 ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1 // lan ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1 ipfw add 105 set 1 allow ip from any to any ipfw add 1000 set 1 deny ip from any to any ipfw add 2000 set 1 allow ip from me to any keep-state ipfw add 2001 set 1 deny ip from any to any ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup = keep-state ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state ipfw add 3002 set 1 deny ip from any to any ipfw add 4000 set 1 allow ip from me to any keep-state ipfw add 4001 set 1 deny ip from any to any ipfw set swap 0 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D after the swap, the dynamic rules that were added when runnin on set 0 = to begin with (same script). does seem to work at first glance however if i add a rule at say 100 and = shift all other rules down,=20 and re-run the script then what happens with the dynamic rules? the tcp = connections break. do the dynamic rules always point to the same set or do the point to the = new set when i run swap? do i need to enable set 1 afterwards to make it work? how is then the = line of rule execution, when two sets are enabled?=20 are there any ways to change the set 0 rules while still retaining the = functionality of the old dynamic rules? - Sten