Date: Tue, 23 Oct 2018 13:12:20 +0200 From: Ole <ole@free.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <20181023131220.20c700ba.ole@free.de> In-Reply-To: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/AZLnQq=7P8FM2.ktGUWtlVf Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov" <bu7cher@yandex.ru>: > On 05.09.2018 12:28, Ole wrote: > > I understand, that this connections get broken because the dynamic=20 > > rules get flushed with the `ipfw -q -f flush` command. But > > commenting this command out results in a continuously growing rules > > table. > >=20 > > With the `ipfw -d list` command I can see the dynamic rules.=20 > > Is there a way to flush the rules but not the dynamic ones? > > Or to add them again after flush? =20 >=20 > There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to > keep dynamic state when parent rule is deleted. But you need to use > default_to_accept firewall to make it working. > I plan to reimplement this feature to be more useful and work with any > rules, and not only with "allow" rules. Ah, thank you very much. This is exactly what I was searching for. I deployed it to some machines and it is working well. One Question: I have lots of hostname dependend rules in lots of jails. Do you think it is OK to reload the ruleset every 5 min by cron to re-resolv the hostnames? regards Ole --Sig_/AZLnQq=7P8FM2.ktGUWtlVf Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbzwIXAAoJECWWkUao5JRQn3kP/RZOizq10qY89QMq1TOxQKI0 jhhxNJkCyJLSEXSOzlpqb3mmLT9fyrPCznlND/c6PPg61ageayiJaAUUzmPiY+0G i+2lFxNBGpCh53F1Z/3FQd8f3SlKDVkhaq+zZxvUG4NO0zlGsTcLfKGxYXCyYMsX drcYmDacdTSabBUZKpSLGHS3aIbvxa0vOmNhZdOaMV5ZIy9CAU0qgGFxFTpKtBQ3 U+8dp/t7bo5ikW4pab3qs90yzwXRccDDqDX5DYQAofWkuByoWa/r4bD5bt6NEK76 o9yUOsqJvl1nAXs1vT6zdL8K0ijXLsDWbLpOaO0BfZQU3T30BgH+YDQD/2uojoFw DHjo17jUf7MIlhvikS7siYxRjiG7duYf6D6K9KRJRVU72S5T8/MmKzGFNmEhB9KV TLGcT3BvgrwqUszdcv+gd8YFx5mCTxa8vOWDgVhdYG6eOLMxoWGJUpm13ttieb2X 93zcMQwO0zB/6A4bxbal40w8HuM0dZAq38rHR+sFctCdJ322dX52Tf0qA3xbbaWS g/m/fmjXbNHPoeMSkBc8W7NNOUaroNYLxZeiffRxhq8AFJwSm65Runz+SsiXuCIX 0rKpTZ6U6A+nnHeqFl+7izGh1PFI6t/WhWPC9iO/RuaPLwmB4fWxC7x+B37V5kVc 0JjoIlxq6tsFD2Qfcwp2 =D0w3 -----END PGP SIGNATURE----- --Sig_/AZLnQq=7P8FM2.ktGUWtlVf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181023131220.20c700ba.ole>