Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Sep 2018 18:33:58 +0300
From:      "Andrey V. Elsukov" <bu7cher@yandex.ru>
To:        Ole <ole@free.de>, freebsd-ipfw@freebsd.org
Subject:   Re: ipfw managing rules - best practice?
Message-ID:  <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru>
In-Reply-To: <20180905112847.54287198.ole@free.de>
References:  <20180905112847.54287198.ole@free.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM
Content-Type: multipart/mixed; boundary="uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Ole <ole@free.de>, freebsd-ipfw@freebsd.org
Message-ID: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru>
Subject: Re: ipfw managing rules - best practice?
References: <20180905112847.54287198.ole@free.de>
In-Reply-To: <20180905112847.54287198.ole@free.de>

--uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 05.09.2018 12:28, Ole wrote:
> I understand, that this connections get broken because the dynamic=20
> rules get flushed with the `ipfw -q -f flush` command. But commenting=20
> this command out results in a continuously growing rules table.
>=20
> With the `ipfw -d list` command I can see the dynamic rules.=20
> Is there a way to flush the rules but not the dynamic ones?
> Or to add them again after flush?

There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to
keep dynamic state when parent rule is deleted. But you need to use
default_to_accept firewall to make it working.
I plan to reimplement this feature to be more useful and work with any
rules, and not only with "allow" rules.

--=20
WBR, Andrey V. Elsukov


--uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G--

--Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAluP92YACgkQAcXqBBDI
oXoliwf/ZRQfMcLzV0lQsMBWN6G6NOuMa59KyohxWMb8Bj/ubaXbQdV6sGeUR7fD
3PSiYCiUa9d0KNgZOXvqxfN8gAWchl1qfbo0iKMz0F2lk383wUQTBWD6muDaW8oH
SKi/cGSUAerPjlfMJIbICpDcDeDLB+eTQnuSJPLKbekHTWn1CRS2vEymdhY1ciiy
jgvTC3LY1uhVCm3GKKjQB0qgNXo1EL7a2iZNQ1hWnlVThzYhn5Jb7wkqdPjHzAB3
atcfdcRDwTeZAoo5HuoXm+eXojV/2v/vRBS1BW1D54sR8CLAAwWeZQOU7G5ulJ8P
hBAXRfFncWDLHEnz+fm4Pdksr3+jxg==
=CJx8
-----END PGP SIGNATURE-----

--Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?67544958-07fe-7ff4-b5d2-88bf85324061>