From owner-freebsd-ipfw@freebsd.org  Thu Sep  6 11:02:44 2018
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 403FAFF738D
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Thu,  6 Sep 2018 11:02:44 +0000 (UTC) (envelope-from ole@free.de)
Received: from smtp.free.de (smtp.free.de [91.204.6.103])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D468C714EB
 for <freebsd-ipfw@freebsd.org>; Thu,  6 Sep 2018 11:02:43 +0000 (UTC)
 (envelope-from ole@free.de)
Received: from bard (x4e31a31e.dyn.telefonica.de [78.49.163.30])
 by smtp.free.de (Postfix) with ESMTPSA id EA7D3E6C6;
 Thu,  6 Sep 2018 13:02:35 +0200 (CEST)
Date: Thu, 6 Sep 2018 13:02:32 +0200
From: Ole <ole@free.de>
To: Freddie Cash <fjwcash@gmail.com>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw managing rules - best practice?
Message-ID: <20180906130232.46963dce.ole@free.de>
In-Reply-To: <CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV+daaGnMw@mail.gmail.com>
References: <20180905112847.54287198.ole@free.de>
 <CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV+daaGnMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 boundary="Sig_/ZT05OlnJNKYa_+xFVG2/dUd"; protocol="application/pgp-signature"
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 11:02:44 -0000

--Sig_/ZT05OlnJNKYa_+xFVG2/dUd
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Wed, 5 Sep 2018 08:38:23 -0700 - Freddie Cash <fjwcash@gmail.com>:

> On Wed, Sep 5, 2018 at 2:29 AM Ole <ole@free.de> wrote:
>=20
> > Hi,
> >
> > I'm using ipfw firewall on several machines. Rules are made by
> > users by hand or by configuration management tools.
> >
> > For this the ipfw.rules script sources other files:
> >
> > #!/bin/sh
> >
> > ipfw -q -f flush
> > cmd=3D"ipfw -q add"
> > pif=3D"epair0b"     # interface name of NIC attached to Internet
> > $cmd 00010 allow all from any to any via lo0
> > for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
> >   . $RULES
> > done
> > $cmd 09999 deny log all from any to any
> >
> > If a user or a script alters a file, `service ipfw restart` is
> > called. This is working fine except one thing. Active connections
> > like sql, syslog, ssh, etc. get broken. They are defined like
> >
> > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup
> > limit src-addr 50
> >
> > I understand, that this connections get broken because the dynamic
> > rules get flushed with the `ipfw -q -f flush` command. But
> > commenting this command out results in a continuously growing rules
> > table.
> >
> > With the `ipfw -d list` command I can see the dynamic rules.
> > Is there a way to flush the rules but not the dynamic ones?
> > Or to add them again after flush?
> >
> > How do you reload your rules?
> >
>=20
> Rule sets are made for this.  :)
>=20
> Edit your script to create a new rule set 1 as the first step.  Then
> to insert all the rules into rule set 1.
>=20
> As the last line of your script, you swap set 1 and set 0, which
> makes your new rules live.  It's an atomic switch, so no packets are
> lost or connections dropped.  (Note:  I've never used stateful
> filtering with IPFW so not sure how the rule set switch interacts
> with that, but it shouldn't drop the dynamic connections.)


I'm sorry. I just tested this approach and it drops the dynamic rules.


> ipfw -f set 1 flush
> ipfw set 1 disable
>=20
> ... all your normal rules, prepended by "set 1"
>=20
> ipfw set enable 1
> ipfw set swap 1 0
> ipfw set disable 1
> ipfw -f set 1 flush
>=20
>=20

--Sig_/ZT05OlnJNKYa_+xFVG2/dUd
Content-Type: application/pgp-signature
Content-Description: Digitale Signatur von OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJbkQlLAAoJECWWkUao5JRQVYcP/RCAk2WJyG4gZ841Npgl80/A
YjoJqf7bWvcCLPd6m8/nvDG29JzrHhTj9iHtpKUS5ZuHXQPU71yVSY26xf1LWhNj
Opb466h3/+JPG4Tqw/3rnFewYb+cXZX5zExBftZHB2fITejRU6iTjS9nlp8NRF/A
nZssXP8AvTvvNOXp9X6sUv7OZMlouPJtQTNI2IOfVQF3exVxBqzPZ18jQiItFvwI
pnSZRsskTIf86XBU1hwrC8FzmfqluuWcUQzXxxlkXomxKtnQfQLrzHVMMVE52SvK
TVq83yc4/qgwnFjaREFtR2R1aT/zHSZkRH8xNcjeDoxyXXFcgQlBecVJ7/YCEGKS
Dn9j82za+3bhd612J5CnFngIk2z+vj0Zsw5j0wWPP2sXhIfLc1E9/vt76gWxiYZK
rLqtY5s7N0s6KcY6tsUUZ7Q77mX7/jnMgfm9uCCYSbDxkxo4sQcXhe/E/ybk8vMe
b0mUrncJznWqOT5J+UNnuAghv+Iv0TN+NBAKoM8+XP87xyoX1hhw+5KYgSyS6aAk
5wiZaSu0GyjPXSN8WQ5bb4n7/HOoCJ9G5n68PLJ6SpZ8GB+/W3INyczHolsZtoD5
p1WL1JKLgKbGQBtTQCzLO1ADGlHX/AddEmqDUFIEO+hxYkeuCQvulU01+kVIiHdb
o3wLr2eh4ZpOM94tL0qs
=v3Pb
-----END PGP SIGNATURE-----

--Sig_/ZT05OlnJNKYa_+xFVG2/dUd--