From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 1 06:53:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26B5616A4E9 for ; Mon, 1 Sep 2003 06:53:34 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 641B843F85 for ; Mon, 1 Sep 2003 06:53:33 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h81DrVkN070702; Mon, 1 Sep 2003 06:53:31 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h81DrVKW070701; Mon, 1 Sep 2003 06:53:31 -0700 (PDT) (envelope-from rizzo) Date: Mon, 1 Sep 2003 06:53:30 -0700 From: Luigi Rizzo To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= Message-ID: <20030901065330.A70435@xorpc.icir.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF31@exchange.wanglobal.net>; from sten.daniel.sorsdal@wan.no on Mon, Sep 01, 2003 at 03:29:36PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2, sets and dynamic rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 13:53:34 -0000 dynamic rules do not survive a delete, so your "delete set 1" is what kills your connections. cheers luigi On Mon, Sep 01, 2003 at 03:29:36PM +0200, Sten Daniel Sørsdal wrote: > > Being a complete ipfw idiot, i hoped someone could clarify this to me. > > I wrote a simple firewall script that uses dynamic rules (stateful rules). > It's basically like this (handwritten, real script is alot bigger); > > ===== > > ipfw set disable 1 > ipfw -q delete set 1 > ipfw set disable 1 > > ipfw add 100 set 1 check-state > ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0 // internet > ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0 > ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1 // lan > ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1 > ipfw add 105 set 1 allow ip from any to any > > ipfw add 1000 set 1 deny ip from any to any > > ipfw add 2000 set 1 allow ip from me to any keep-state > ipfw add 2001 set 1 deny ip from any to any > > ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup keep-state > ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state > ipfw add 3002 set 1 deny ip from any to any > > ipfw add 4000 set 1 allow ip from me to any keep-state > ipfw add 4001 set 1 deny ip from any to any > > ipfw set swap 0 1 > > ============ > > after the swap, the dynamic rules that were added when runnin on set 0 to begin with (same script). > does seem to work at first glance however if i add a rule at say 100 and shift all other rules down, > and re-run the script then what happens with the dynamic rules? the tcp connections break. > > do the dynamic rules always point to the same set or do the point to the new set when i run swap? > > do i need to enable set 1 afterwards to make it work? how is then the line of rule execution, when > two sets are enabled? > > are there any ways to change the set 0 rules while still retaining the functionality of the old > dynamic rules? > > > - Sten > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >