Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Sep 2018 13:02:32 +0200
From:      Ole <ole@free.de>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw managing rules - best practice?
Message-ID:  <20180906130232.46963dce.ole@free.de>
In-Reply-To: <CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV+daaGnMw@mail.gmail.com>
References:  <20180905112847.54287198.ole@free.de> <CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV+daaGnMw@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--Sig_/ZT05OlnJNKYa_+xFVG2/dUd
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Wed, 5 Sep 2018 08:38:23 -0700 - Freddie Cash <fjwcash@gmail.com>:

> On Wed, Sep 5, 2018 at 2:29 AM Ole <ole@free.de> wrote:
>=20
> > Hi,
> >
> > I'm using ipfw firewall on several machines. Rules are made by
> > users by hand or by configuration management tools.
> >
> > For this the ipfw.rules script sources other files:
> >
> > #!/bin/sh
> >
> > ipfw -q -f flush
> > cmd=3D"ipfw -q add"
> > pif=3D"epair0b"     # interface name of NIC attached to Internet
> > $cmd 00010 allow all from any to any via lo0
> > for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
> >   . $RULES
> > done
> > $cmd 09999 deny log all from any to any
> >
> > If a user or a script alters a file, `service ipfw restart` is
> > called. This is working fine except one thing. Active connections
> > like sql, syslog, ssh, etc. get broken. They are defined like
> >
> > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup
> > limit src-addr 50
> >
> > I understand, that this connections get broken because the dynamic
> > rules get flushed with the `ipfw -q -f flush` command. But
> > commenting this command out results in a continuously growing rules
> > table.
> >
> > With the `ipfw -d list` command I can see the dynamic rules.
> > Is there a way to flush the rules but not the dynamic ones?
> > Or to add them again after flush?
> >
> > How do you reload your rules?
> >
>=20
> Rule sets are made for this.  :)
>=20
> Edit your script to create a new rule set 1 as the first step.  Then
> to insert all the rules into rule set 1.
>=20
> As the last line of your script, you swap set 1 and set 0, which
> makes your new rules live.  It's an atomic switch, so no packets are
> lost or connections dropped.  (Note:  I've never used stateful
> filtering with IPFW so not sure how the rule set switch interacts
> with that, but it shouldn't drop the dynamic connections.)


I'm sorry. I just tested this approach and it drops the dynamic rules.


> ipfw -f set 1 flush
> ipfw set 1 disable
>=20
> ... all your normal rules, prepended by "set 1"
>=20
> ipfw set enable 1
> ipfw set swap 1 0
> ipfw set disable 1
> ipfw -f set 1 flush
>=20
>=20

--Sig_/ZT05OlnJNKYa_+xFVG2/dUd
Content-Type: application/pgp-signature
Content-Description: Digitale Signatur von OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJbkQlLAAoJECWWkUao5JRQVYcP/RCAk2WJyG4gZ841Npgl80/A
YjoJqf7bWvcCLPd6m8/nvDG29JzrHhTj9iHtpKUS5ZuHXQPU71yVSY26xf1LWhNj
Opb466h3/+JPG4Tqw/3rnFewYb+cXZX5zExBftZHB2fITejRU6iTjS9nlp8NRF/A
nZssXP8AvTvvNOXp9X6sUv7OZMlouPJtQTNI2IOfVQF3exVxBqzPZ18jQiItFvwI
pnSZRsskTIf86XBU1hwrC8FzmfqluuWcUQzXxxlkXomxKtnQfQLrzHVMMVE52SvK
TVq83yc4/qgwnFjaREFtR2R1aT/zHSZkRH8xNcjeDoxyXXFcgQlBecVJ7/YCEGKS
Dn9j82za+3bhd612J5CnFngIk2z+vj0Zsw5j0wWPP2sXhIfLc1E9/vt76gWxiYZK
rLqtY5s7N0s6KcY6tsUUZ7Q77mX7/jnMgfm9uCCYSbDxkxo4sQcXhe/E/ybk8vMe
b0mUrncJznWqOT5J+UNnuAghv+Iv0TN+NBAKoM8+XP87xyoX1hhw+5KYgSyS6aAk
5wiZaSu0GyjPXSN8WQ5bb4n7/HOoCJ9G5n68PLJ6SpZ8GB+/W3INyczHolsZtoD5
p1WL1JKLgKbGQBtTQCzLO1ADGlHX/AddEmqDUFIEO+hxYkeuCQvulU01+kVIiHdb
o3wLr2eh4ZpOM94tL0qs
=v3Pb
-----END PGP SIGNATURE-----

--Sig_/ZT05OlnJNKYa_+xFVG2/dUd--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20180906130232.46963dce.ole>