Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Sep 2018 08:38:23 -0700
From:      Freddie Cash <>
Subject:   Re: ipfw managing rules - best practice?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Sep 5, 2018 at 2:29 AM Ole <> wrote:

> Hi,
> I'm using ipfw firewall on several machines. Rules are made by users by
> hand or by configuration management tools.
> For this the ipfw.rules script sources other files:
> #!/bin/sh
> ipfw -q -f flush
> cmd="ipfw -q add"
> pif="epair0b"     # interface name of NIC attached to Internet
> $cmd 00010 allow all from any to any via lo0
> for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
>   . $RULES
> done
> $cmd 09999 deny log all from any to any
> If a user or a script alters a file, `service ipfw restart` is called.
> This is working fine except one thing. Active connections like sql,
> syslog, ssh, etc. get broken. They are defined like
> $cmd 01610 allow tcp from to me 22 in via $pif setup
> limit src-addr 50
> I understand, that this connections get broken because the dynamic
> rules get flushed with the `ipfw -q -f flush` command. But commenting
> this command out results in a continuously growing rules table.
> With the `ipfw -d list` command I can see the dynamic rules.
> Is there a way to flush the rules but not the dynamic ones?
> Or to add them again after flush?
> How do you reload your rules?

Rule sets are made for this.  :)

Edit your script to create a new rule set 1 as the first step.  Then to
insert all the rules into rule set 1.

As the last line of your script, you swap set 1 and set 0, which makes your
new rules live.  It's an atomic switch, so no packets are lost or
connections dropped.  (Note:  I've never used stateful filtering with IPFW
so not sure how the rule set switch interacts with that, but it shouldn't
drop the dynamic connections.)

ipfw -f set 1 flush
ipfw set 1 disable

... all your normal rules, prepended by "set 1"

ipfw set enable 1
ipfw set swap 1 0
ipfw set disable 1
ipfw -f set 1 flush

Freddie Cash

Want to link to this message? Use this URL: <>