Date: Wed, 24 Oct 2018 18:22:52 +0200 From: Ole <ole@free.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <20181024182252.49ee516b.ole@free.de> In-Reply-To: <20181023131220.20c700ba.ole@free.de> References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> <20181023131220.20c700ba.ole@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/RFn0HK2H0eDs9BF2sS_z3nU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Tue, 23 Oct 2018 13:12:20 +0200 - Ole <ole@free.de>: > Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov" > <bu7cher@yandex.ru>: >=20 > > On 05.09.2018 12:28, Ole wrote: > > > I understand, that this connections get broken because the > > > dynamic rules get flushed with the `ipfw -q -f flush` command. But > > > commenting this command out results in a continuously growing > > > rules table. > > >=20 > > > With the `ipfw -d list` command I can see the dynamic rules.=20 > > > Is there a way to flush the rules but not the dynamic ones? > > > Or to add them again after flush? =20 > >=20 > > There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows > > to keep dynamic state when parent rule is deleted. But you need to > > use default_to_accept firewall to make it working. > > I plan to reimplement this feature to be more useful and work with > > any rules, and not only with "allow" rules. >=20 > Ah, thank you very much. This is exactly what I was searching for. I > deployed it to some machines and it is working well. OK, it is not working. I tested it only on a host system. It was working. When I deployed the=20 ipfw script to the jails I missed that 'ipfw -q -f flush' was commented out. So what happens inside the Jail: Host: # sysctl net.inet.ip.fw net.inet.ip.fw.dyn_keep_states: 1 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_parent_max: 4096 net.inet.ip.fw.dyn_max: 16384 net.inet.ip.fw.dyn_buckets: 8192 net.inet.ip.fw.curr_max_length: 0 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_parent_count: 0 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.enable: 1 net.inet.ip.fw.static_count: 12 net.inet.ip.fw.default_to_accept: 1 net.inet.ip.fw.tables_sets: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 Jail: # sysctl net.inet.ip.fw net.inet.ip.fw.dyn_keep_states: 1 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_parent_max: 4096 net.inet.ip.fw.dyn_max: 16384 net.inet.ip.fw.dyn_buckets: 8192 net.inet.ip.fw.curr_max_length: 1 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_parent_count: 0 net.inet.ip.fw.dyn_count: 3 net.inet.ip.fw.enable: 1 net.inet.ip.fw.static_count: 41 net.inet.ip.fw.default_to_accept: 1 net.inet.ip.fw.tables_sets: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 # ipfw -d list=20 (...) 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup keep-sta= te :default (...) ## Dynamic rules (1 152): 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default # ipfw -q flush # ipfw -d list 65535 allow ip from any to any ## Dynamic rules (2 288): Segmentation fault (core dumped) It not always ends up with a segmnetation fault. Sometimes there are 'empty' rules (blank lines): ## Dynamic rules (7 968): 01510 STATE tcp xx.xx.xx.xx 48347 <-> xx.xx.xx.xx 6514 :default 01111 STATE udp xx.xx.xx.xx 19693 <-> xx.xx.xx.xx :default 01111 STATE udp xx.xx.xx.xx 45532 <-> xx.xx.xx.xx :default ---End-of-output I'm using FreeBSD 11.2 with vnet Jails. regards Ole --Sig_/RFn0HK2H0eDs9BF2sS_z3nU Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJb0JxoAAoJECWWkUao5JRQhgwP/Anz+9wmvKH+/2U3E91WYn8a U86woHOK+UAkEX7qhTMyW+Yh1du4tAkVZknDhytlwJ+StCAndsTU/V72rPS2AoH9 8OkavQX10UImc26n6WycKK8OlrmaCDcleYEivMXAZXbR3VrtJMfN0iJ1yO5JXrV1 5/bk3tzeH4XoueM+RrlaoBB+LdbduJDsDrRASCdMCjksgAQEDUdtZEjqEbTWaamu YXk28sOgvwpBJF/4wxnhTLAwM4ZwvUybE9aiuDLh/FHZ0sYVqoIfNhAe1TM1lbex 1Bi+BSIgOuooZVXQdS++EEVfKjkpvtNJVjQdWRjGeooQzFuS/lfKYOlkhGyNGwgu 28gk3D3RHHejlCNqSw2dW9zMaVZiU7b9UY+NnqkTk8PO5wjjJLxuGDor+yAAeV8V ZXxpgqFUc7utvOZoR4IDXSU0McuEsI0uWe/6BeXdqXWBx0sf+QGfeYqbTCDOGK85 0Bv6Qagx5fsigeL9stT3J4F/7t1b2xbtRTT/SyFoyqJHH1wPebNgLxAHSbDdKsm8 eAjm9nesv7as7bjEN2RaX0+1gH+7N5MBla4dMJMmtSawbzwyco07b3qkCzRJ3Rll Mum7qlXPrCKHK3EnCweflpliJyy8L5sD7uCbHOxQvycx8dyKvXia5W7BolgtFlAS 9/liiULK2ICgIbz4G2Me =K+wU -----END PGP SIGNATURE----- --Sig_/RFn0HK2H0eDs9BF2sS_z3nU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181024182252.49ee516b.ole>