From owner-freebsd-ipfw@freebsd.org Sun Sep 2 21:00:27 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D915FF9848 for ; Sun, 2 Sep 2018 21:00:27 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id B927987147 for ; Sun, 2 Sep 2018 21:00:26 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 778DDFF983B; Sun, 2 Sep 2018 21:00:26 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66635FF9833 for ; Sun, 2 Sep 2018 21:00:26 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 128F18713C for ; Sun, 2 Sep 2018 21:00:26 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 41C45173EE for ; Sun, 2 Sep 2018 21:00:25 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w82L0Pgu093598 for ; Sun, 2 Sep 2018 21:00:25 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w82L0PuS093594 for ipfw@FreeBSD.org; Sun, 2 Sep 2018 21:00:25 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201809022100.w82L0PuS093594@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: ipfw@FreeBSD.org Subject: Problem reports for ipfw@FreeBSD.org that need special attention Date: Sun, 2 Sep 2018 21:00:25 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Sep 2018 21:00:27 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 215875 | [ipfw] ipfw lookup tables do not support mbuf_tag 1 problems total for which you should take action. From owner-freebsd-ipfw@freebsd.org Tue Sep 4 13:51:09 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F87BFEF78E for ; Tue, 4 Sep 2018 13:51:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C155E701C9 for ; Tue, 4 Sep 2018 13:51:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 85D51FEF78A; Tue, 4 Sep 2018 13:51:08 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74AFDFEF789 for ; Tue, 4 Sep 2018 13:51:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 16A3C701C4 for ; Tue, 4 Sep 2018 13:51:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 4552C4E8C for ; Tue, 4 Sep 2018 13:51:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w84Dp7Du022242 for ; Tue, 4 Sep 2018 13:51:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w84Dp7xV022241 for ipfw@FreeBSD.org; Tue, 4 Sep 2018 13:51:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 231143] Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 Date: Tue, 04 Sep 2018 13:51:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 13:51:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231143 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|net@FreeBSD.org |ipfw@FreeBSD.org Keywords| |patch --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue Sep 4 15:09:30 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F367FF2162 for ; Tue, 4 Sep 2018 15:09:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BB94873488 for ; Tue, 4 Sep 2018 15:09:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 7C84BFF2160; Tue, 4 Sep 2018 15:09:29 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B49DFF215F for ; Tue, 4 Sep 2018 15:09:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 06EE673484 for ; Tue, 4 Sep 2018 15:09:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 650E3597E for ; Tue, 4 Sep 2018 15:09:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w84F9SNN001158 for ; Tue, 4 Sep 2018 15:09:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w84F9SGB001150 for ipfw@FreeBSD.org; Tue, 4 Sep 2018 15:09:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 231143] Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 Date: Tue, 04 Sep 2018 15:09:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 15:09:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231143 Eugene Grosbein changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #196852|0 |1 is obsolete| | --- Comment #4 from Eugene Grosbein --- Created attachment 196860 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D196860&action= =3Dedit proposed fix More correct version of the patch following current mode of packet filtering operation that does not skip second pass over filters if "ipfw fwd" matched incoming packet. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue Sep 4 19:45:12 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45CE6FF9FAE for ; Tue, 4 Sep 2018 19:45:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D68367E576 for ; Tue, 4 Sep 2018 19:45:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9C232FF9FAD; Tue, 4 Sep 2018 19:45:11 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AC90FF9FAC for ; Tue, 4 Sep 2018 19:45:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2BA837E572 for ; Tue, 4 Sep 2018 19:45:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 7ABB710338 for ; Tue, 4 Sep 2018 19:45:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w84JjAVO082684 for ; Tue, 4 Sep 2018 19:45:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w84JjAPe082683 for ipfw@FreeBSD.org; Tue, 4 Sep 2018 19:45:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 231143] Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 Date: Tue, 04 Sep 2018 19:45:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: run00er@gmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 19:45:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231143 --- Comment #5 from Runer --- (In reply to Eugene Grosbein from comment #4) Excellent! This patch works for Me. cd /usr/src && patch < /path/to/patch |Index: sys/netinet/ip_fastfwd.c |=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D |--- sys/netinet/ip_fastfwd.c (revision 338011) |+++ sys/netinet/ip_fastfwd.c (working copy) -------------------------- Patching file sys/netinet/ip_fastfwd.c using Plan A... Hunk #1 succeeded at 151. Hunk #2 succeeded at 292. Hunk #3 succeeded at 312. Hunk #4 succeeded at 338. Hunk #5 succeeded at 361. route add default 127.0.0.1 -blackhole -iface Internet: Destination Gateway Flags Netif Expire default 127.0.0.1 USB lo0 traffic from the address from table(1) is forwarded. ipfw show 00100 139 9466 fwd 10.0.0.5 ip from table(1) to not 10.0.0.0/8 in via vtnet0 icmp not from table(1) address, is silently dropped (-blackhole) Many thanks! Great work! Good luck to you! --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Sep 5 05:14:45 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3541FFE3ACE for ; Wed, 5 Sep 2018 05:14:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C42687188E for ; Wed, 5 Sep 2018 05:14:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 863EDFE3ACD; Wed, 5 Sep 2018 05:14:44 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74FF2FE3ACC for ; Wed, 5 Sep 2018 05:14:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 165D47188C for ; Wed, 5 Sep 2018 05:14:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 5C66A1526B for ; Wed, 5 Sep 2018 05:14:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w855Ehs9048680 for ; Wed, 5 Sep 2018 05:14:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w855EhwB048678 for ipfw@FreeBSD.org; Wed, 5 Sep 2018 05:14:43 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 231143] Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 Date: Wed, 05 Sep 2018 05:14:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-RELEASE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: eugen@freebsd.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 05:14:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231143 Eugene Grosbein changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|ipfw@FreeBSD.org |eugen@freebsd.org Status|Open |In Progress --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Sep 5 09:29:00 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4497FE9FB0 for ; Wed, 5 Sep 2018 09:28:59 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 859637946A for ; Wed, 5 Sep 2018 09:28:58 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x5ce426da.dyn.telefonica.de [92.228.38.218]) by smtp.free.de (Postfix) with ESMTPSA id 5662DE4E1 for ; Wed, 5 Sep 2018 11:28:51 +0200 (CEST) Date: Wed, 5 Sep 2018 11:28:47 +0200 From: Ole To: freebsd-ipfw@freebsd.org Subject: ipfw managing rules - best practice? Message-ID: <20180905112847.54287198.ole@free.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/2.6TSSq+3cx3XH1i_O6k5Gc"; protocol="application/pgp-signature" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 09:29:00 -0000 --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd=3D"ipfw -q add" pif=3D"epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit = src-addr 50 I understand, that this connections get broken because the dynamic=20 rules get flushed with the `ipfw -q -f flush` command. But commenting=20 this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules.=20 Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbj6HSAAoJECWWkUao5JRQiIMP/37WvFpQ9crwboID59u6TgRU VVqUPjD7RugNV/kT8ZGh2H6+yY+UMFEUcW/jdOvDt4iVOncznAycLS+oqEJgfflz 89uOOhZKRrObk+wcmCWQOuK+UqAUvXarvqK/EXyGC3jDO+6xP9FxembotE296t0I kZ24W1U7tg5giJXcSWwsMbd67sswPOQ+0udaoVv9Jp+FT4NgAyHL+iGuRkKgZW9i Zuyb3/HIHA3+V+CQ+0AwHa3aeeXVqdDe78rddUrq9aXQ/GfzdXUGe65KCtYPMQty BEVu5X2oAv7MQ8dao7oxuOo+fydUahmHgxzwZJfYtHcUhbOpeMJGRviCeug8nK6g IxCLLuCrDp9yalNZFRiT6miEAHLDKcGIfvqtuGYi5zVrV/QcVjyGb/YGfak6M0MZ Cros8uHqzCEnRO51K2CdWVzoYReKo7ac+CjUhLZSEFIzWuHugp3IOE8CYytsIF5P gETfdL17uQFLjzFElZJDlt4A7EhvgY/n3RKkzx5pkm2wRZ9Ll36lnjNVkRgNeYCb yxLipxJeLWE8sVqa2cO2KGHXaUQwqkEhdIKHrTaEUZhOhwWckWn/Vq1RxWudk6IQ wXCn5/FGPA+NVSboujOdlxsJcO9upLjy5869UEHE0cjU7RhJr/uENRGRCR+Q51sC LiDX5xBLgM5M2bA289+7 =MAQm -----END PGP SIGNATURE----- --Sig_/2.6TSSq+3cx3XH1i_O6k5Gc-- From owner-freebsd-ipfw@freebsd.org Wed Sep 5 10:12:10 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3596FEB265 for ; Wed, 5 Sep 2018 10:12:09 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv197.fwdcdn.com (frv197.fwdcdn.com [212.42.77.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.ukr.net", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94BE27ACB1 for ; Wed, 5 Sep 2018 10:12:09 +0000 (UTC) (envelope-from artemrts@ukr.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To: Subject:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7wqfJRhDqqhZJIjRaFdHdlHRrHHzJ1XxHVWmayueLjM=; b=LnUwfy1u2/L0omYFbUil4RpoeG cbedDjF1eRB9G2ePRdFn5BSl3HfYKFZDeo68EDUv/zbS9avB/UTkuQj/FPcg3pw4HrfdDzj5SL3dH b+jHep2TfuK+Ja1s3RL1ppncRHJN/8u+JstQiMU5VmqxTdYMjh0pV+tdbsdXZd3eLIxo=; Received: from [10.10.11.34] (helo=mpop2-frv34.fwdcdn.com) by frv197.fwdcdn.com with smtp ID 1fxUn3-0009w5-FI for freebsd-ipfw@freebsd.org; Wed, 05 Sep 2018 13:12:01 +0300 Date: Wed, 05 Sep 2018 13:12:01 +0300 From: wishmaster Subject: Re: ipfw managing rules - best practice? To: Ole Cc: freebsd-ipfw@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1536142048.486800466.0ltduhtv@mpop2-frv34.fwdcdn.com> In-Reply-To: <20180905112847.54287198.ole@free.de> References: <20180905112847.54287198.ole@free.de> X-Reply-Action: reply Received: from artemrts@ukr.net by mpop2-frv34.fwdcdn.com; Wed, 05 Sep 2018 13:12:01 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 10:12:10 -0000   Hi, here is my approach. I have one ipfw.conf and ipfw.conf.last files. And the script wich does diff of this files and changes only that rule(s) wich has been changed. Therefore no need to reload service ipfw. --- Original message --- From: "Ole" Date: 5 September 2018, 12:29:12 Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" pif="epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50 I understand, that this connections get broken because the dynamic rules get flushed with the `ipfw -q -f flush` command. But commenting this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules. Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole From owner-freebsd-ipfw@freebsd.org Wed Sep 5 15:35:22 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78B58FF4082 for ; Wed, 5 Sep 2018 15:35:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward105j.mail.yandex.net (forward105j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EA25C86492 for ; Wed, 5 Sep 2018 15:35:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback11j.mail.yandex.net (mxback11j.mail.yandex.net [IPv6:2a02:6b8:0:1619::84]) by forward105j.mail.yandex.net (Yandex) with ESMTP id C7DA11867ED; Wed, 5 Sep 2018 18:35:18 +0300 (MSK) Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net [2a02:6b8:0:1402::15:6]) by mxback11j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id iTGegWQT5U-ZIPaqZK2; Wed, 05 Sep 2018 18:35:18 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1536161718; bh=DYhYb+fWjV4chB2fPFhx1zSeB0P9bjAXoZacre7lMsQ=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=Ve95Ku3oIwHwCZ2EWTjKiBj7NWXP0hiHCIvKlW4AEynPx29xR+Nwv+DqB9QYEAjRF 8buXnpqkWKxHMuUK/WphTgSdxdihP67eduDr2Tppz1QOJ3HwHbnuCFS4jYAtLK3gPV Kxt6s/6lDGlq0rwN84yx5GvRckXohQVvzLAZ2Il8= Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id RfGFlNP0t7-ZH28c8vp; Wed, 05 Sep 2018 18:35:17 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1536161717; bh=DYhYb+fWjV4chB2fPFhx1zSeB0P9bjAXoZacre7lMsQ=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=pM/o57osbv8N8NealbUTNi0FNDOBQfjaaeJ2cE8DZlI99Tp8AkAAeH2XxkQT3NHmG 3Adh9N7mFlSSt8leUOJYzD08+R5e2ZWbD0gX1g7xkxW0F/LYz8QH74y8fk3rldhqbP AkaTr3A22KgtxMtO1Skq3TR2oJwqrlm8yoA0ActI= Authentication-Results: smtp4p.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: ipfw managing rules - best practice? To: Ole , freebsd-ipfw@freebsd.org References: <20180905112847.54287198.ole@free.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> Date: Wed, 5 Sep 2018 18:33:58 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180905112847.54287198.ole@free.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 15:35:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM Content-Type: multipart/mixed; boundary="uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G"; protected-headers="v1" From: "Andrey V. Elsukov" To: Ole , freebsd-ipfw@freebsd.org Message-ID: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> Subject: Re: ipfw managing rules - best practice? References: <20180905112847.54287198.ole@free.de> In-Reply-To: <20180905112847.54287198.ole@free.de> --uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 05.09.2018 12:28, Ole wrote: > I understand, that this connections get broken because the dynamic=20 > rules get flushed with the `ipfw -q -f flush` command. But commenting=20 > this command out results in a continuously growing rules table. >=20 > With the `ipfw -d list` command I can see the dynamic rules.=20 > Is there a way to flush the rules but not the dynamic ones? > Or to add them again after flush? There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to keep dynamic state when parent rule is deleted. But you need to use default_to_accept firewall to make it working. I plan to reimplement this feature to be more useful and work with any rules, and not only with "allow" rules. --=20 WBR, Andrey V. Elsukov --uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G-- --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAluP92YACgkQAcXqBBDI oXoliwf/ZRQfMcLzV0lQsMBWN6G6NOuMa59KyohxWMb8Bj/ubaXbQdV6sGeUR7fD 3PSiYCiUa9d0KNgZOXvqxfN8gAWchl1qfbo0iKMz0F2lk383wUQTBWD6muDaW8oH SKi/cGSUAerPjlfMJIbICpDcDeDLB+eTQnuSJPLKbekHTWn1CRS2vEymdhY1ciiy jgvTC3LY1uhVCm3GKKjQB0qgNXo1EL7a2iZNQ1hWnlVThzYhn5Jb7wkqdPjHzAB3 atcfdcRDwTeZAoo5HuoXm+eXojV/2v/vRBS1BW1D54sR8CLAAwWeZQOU7G5ulJ8P hBAXRfFncWDLHEnz+fm4Pdksr3+jxg== =CJx8 -----END PGP SIGNATURE----- --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM-- From owner-freebsd-ipfw@freebsd.org Wed Sep 5 15:38:37 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 403DCFF420D for ; Wed, 5 Sep 2018 15:38:37 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9A11F865B9 for ; Wed, 5 Sep 2018 15:38:36 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lj1-x22e.google.com with SMTP id u83-v6so6614945lje.12 for ; Wed, 05 Sep 2018 08:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vi4vfuTq0Czk3mw5WeNTFbv5JYq1FxX3StcoUOKGMSY=; b=CQkYkkXkfVndZSB35AafpW6WuneJ5mQyXjpUPostKX3JQpINx7VHfoJBR6aIuHHtnq 09xIYBwWmAwtMl2KO59diH8NsYykCCCeibHqQyilAkzHD3oPSSFQiakWhu9muZUMfJq/ G3BlFhPsIgDYDAJzvPV9wdu0n5I/CFvs/kZviho0TiUDLz6llP9hfuFLRjs+cPr3V+Yv 56HqecICnIXS9R3yRe9XtxpBQpPCQuFMja7GfpY+H3l4c2mDchOlElNbG+CxPExyGpAE fCPNehBMKCgaOBIiCjF4J5jpdBbI+QtTxnxmKqYnJm9s58vU5M7X0pXaRcMlscNWBlAF j7dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vi4vfuTq0Czk3mw5WeNTFbv5JYq1FxX3StcoUOKGMSY=; b=p6Kcq0AbXWva1e7d0YYz+tQgFnvCHGuu/VC0kRHajfSqGXKGByEcPEWpnbaMvokLau fAloXHa9a2CNzI0ZWTCXiY8FknYVZYcZkEaPGHRVY9E3+IKnyIYzFv3TInDV5KkP0+kO hXJIXf6V44oN5uxvcKDpgHZLmEeaOi/MbJgE9UI7jzRaWx7psaBPEbtMBoxJvWitqpTX QLqMM0qpzUGD0aJTI0es3+sUaZUco33/lFIBwv361KrEZhSXNv9Q1MSSAOWxx32EftIm tfny1uKid7PJvRCRE4NppAXS8G5613BgRqo37OLsoul/cVeP8m2+EZbEj3adSFXhi0O0 qkBA== X-Gm-Message-State: APzg51C9BptK47oz4UkiVF3iX3rBTse1qSVrgVIv2qjT43sZcnOJk9Q1 rS2V9uSE90xHszlHhqD9bPRVh3FsvOT9fYR+XxaL1Q== X-Google-Smtp-Source: ANB0VdabxsRuB3A0ehYbfQTmD+agdpmyFIBjf9qFPWl/fASb1DiGJGCYp4fS6qNYJWR9//ur3aNYbDYsa/dhxPTS2ZY= X-Received: by 2002:a2e:350b:: with SMTP id z11-v6mr24443405ljz.55.1536161915212; Wed, 05 Sep 2018 08:38:35 -0700 (PDT) MIME-Version: 1.0 References: <20180905112847.54287198.ole@free.de> In-Reply-To: <20180905112847.54287198.ole@free.de> From: Freddie Cash Date: Wed, 5 Sep 2018 08:38:23 -0700 Message-ID: Subject: Re: ipfw managing rules - best practice? To: ole@free.de Cc: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 15:38:37 -0000 On Wed, Sep 5, 2018 at 2:29 AM Ole wrote: > Hi, > > I'm using ipfw firewall on several machines. Rules are made by users by > hand or by configuration management tools. > > For this the ipfw.rules script sources other files: > > #!/bin/sh > > ipfw -q -f flush > cmd="ipfw -q add" > pif="epair0b" # interface name of NIC attached to Internet > $cmd 00010 allow all from any to any via lo0 > for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do > . $RULES > done > $cmd 09999 deny log all from any to any > > If a user or a script alters a file, `service ipfw restart` is called. > This is working fine except one thing. Active connections like sql, > syslog, ssh, etc. get broken. They are defined like > > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup > limit src-addr 50 > > I understand, that this connections get broken because the dynamic > rules get flushed with the `ipfw -q -f flush` command. But commenting > this command out results in a continuously growing rules table. > > With the `ipfw -d list` command I can see the dynamic rules. > Is there a way to flush the rules but not the dynamic ones? > Or to add them again after flush? > > How do you reload your rules? > Rule sets are made for this. :) Edit your script to create a new rule set 1 as the first step. Then to insert all the rules into rule set 1. As the last line of your script, you swap set 1 and set 0, which makes your new rules live. It's an atomic switch, so no packets are lost or connections dropped. (Note: I've never used stateful filtering with IPFW so not sure how the rule set switch interacts with that, but it shouldn't drop the dynamic connections.) ipfw -f set 1 flush ipfw set 1 disable ... all your normal rules, prepended by "set 1" ipfw set enable 1 ipfw set swap 1 0 ipfw set disable 1 ipfw -f set 1 flush -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@freebsd.org Thu Sep 6 11:02:44 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 403FAFF738D for ; Thu, 6 Sep 2018 11:02:44 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D468C714EB for ; Thu, 6 Sep 2018 11:02:43 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x4e31a31e.dyn.telefonica.de [78.49.163.30]) by smtp.free.de (Postfix) with ESMTPSA id EA7D3E6C6; Thu, 6 Sep 2018 13:02:35 +0200 (CEST) Date: Thu, 6 Sep 2018 13:02:32 +0200 From: Ole To: Freddie Cash Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <20180906130232.46963dce.ole@free.de> In-Reply-To: References: <20180905112847.54287198.ole@free.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/ZT05OlnJNKYa_+xFVG2/dUd"; protocol="application/pgp-signature" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2018 11:02:44 -0000 --Sig_/ZT05OlnJNKYa_+xFVG2/dUd Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Wed, 5 Sep 2018 08:38:23 -0700 - Freddie Cash : > On Wed, Sep 5, 2018 at 2:29 AM Ole wrote: >=20 > > Hi, > > > > I'm using ipfw firewall on several machines. Rules are made by > > users by hand or by configuration management tools. > > > > For this the ipfw.rules script sources other files: > > > > #!/bin/sh > > > > ipfw -q -f flush > > cmd=3D"ipfw -q add" > > pif=3D"epair0b" # interface name of NIC attached to Internet > > $cmd 00010 allow all from any to any via lo0 > > for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do > > . $RULES > > done > > $cmd 09999 deny log all from any to any > > > > If a user or a script alters a file, `service ipfw restart` is > > called. This is working fine except one thing. Active connections > > like sql, syslog, ssh, etc. get broken. They are defined like > > > > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup > > limit src-addr 50 > > > > I understand, that this connections get broken because the dynamic > > rules get flushed with the `ipfw -q -f flush` command. But > > commenting this command out results in a continuously growing rules > > table. > > > > With the `ipfw -d list` command I can see the dynamic rules. > > Is there a way to flush the rules but not the dynamic ones? > > Or to add them again after flush? > > > > How do you reload your rules? > > >=20 > Rule sets are made for this. :) >=20 > Edit your script to create a new rule set 1 as the first step. Then > to insert all the rules into rule set 1. >=20 > As the last line of your script, you swap set 1 and set 0, which > makes your new rules live. It's an atomic switch, so no packets are > lost or connections dropped. (Note: I've never used stateful > filtering with IPFW so not sure how the rule set switch interacts > with that, but it shouldn't drop the dynamic connections.) I'm sorry. I just tested this approach and it drops the dynamic rules. > ipfw -f set 1 flush > ipfw set 1 disable >=20 > ... all your normal rules, prepended by "set 1" >=20 > ipfw set enable 1 > ipfw set swap 1 0 > ipfw set disable 1 > ipfw -f set 1 flush >=20 >=20 --Sig_/ZT05OlnJNKYa_+xFVG2/dUd Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbkQlLAAoJECWWkUao5JRQVYcP/RCAk2WJyG4gZ841Npgl80/A YjoJqf7bWvcCLPd6m8/nvDG29JzrHhTj9iHtpKUS5ZuHXQPU71yVSY26xf1LWhNj Opb466h3/+JPG4Tqw/3rnFewYb+cXZX5zExBftZHB2fITejRU6iTjS9nlp8NRF/A nZssXP8AvTvvNOXp9X6sUv7OZMlouPJtQTNI2IOfVQF3exVxBqzPZ18jQiItFvwI pnSZRsskTIf86XBU1hwrC8FzmfqluuWcUQzXxxlkXomxKtnQfQLrzHVMMVE52SvK TVq83yc4/qgwnFjaREFtR2R1aT/zHSZkRH8xNcjeDoxyXXFcgQlBecVJ7/YCEGKS Dn9j82za+3bhd612J5CnFngIk2z+vj0Zsw5j0wWPP2sXhIfLc1E9/vt76gWxiYZK rLqtY5s7N0s6KcY6tsUUZ7Q77mX7/jnMgfm9uCCYSbDxkxo4sQcXhe/E/ybk8vMe b0mUrncJznWqOT5J+UNnuAghv+Iv0TN+NBAKoM8+XP87xyoX1hhw+5KYgSyS6aAk 5wiZaSu0GyjPXSN8WQ5bb4n7/HOoCJ9G5n68PLJ6SpZ8GB+/W3INyczHolsZtoD5 p1WL1JKLgKbGQBtTQCzLO1ADGlHX/AddEmqDUFIEO+hxYkeuCQvulU01+kVIiHdb o3wLr2eh4ZpOM94tL0qs =v3Pb -----END PGP SIGNATURE----- --Sig_/ZT05OlnJNKYa_+xFVG2/dUd--