IPFW2, sets and dynamic rules.
Sten Daniel Sørsdal
sten.daniel.sorsdal at wan.no
Mon Sep 1 06:32:15 PDT 2003
Being a complete ipfw idiot, i hoped someone could clarify this to me.
I wrote a simple firewall script that uses dynamic rules (stateful rules).
It's basically like this (handwritten, real script is alot bigger);
=====
ipfw set disable 1
ipfw -q delete set 1
ipfw set disable 1
ipfw add 100 set 1 check-state
ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0 // internet
ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0
ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1 // lan
ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1
ipfw add 105 set 1 allow ip from any to any
ipfw add 1000 set 1 deny ip from any to any
ipfw add 2000 set 1 allow ip from me to any keep-state
ipfw add 2001 set 1 deny ip from any to any
ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup keep-state
ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state
ipfw add 3002 set 1 deny ip from any to any
ipfw add 4000 set 1 allow ip from me to any keep-state
ipfw add 4001 set 1 deny ip from any to any
ipfw set swap 0 1
============
after the swap, the dynamic rules that were added when runnin on set 0 to begin with (same script).
does seem to work at first glance however if i add a rule at say 100 and shift all other rules down,
and re-run the script then what happens with the dynamic rules? the tcp connections break.
do the dynamic rules always point to the same set or do the point to the new set when i run swap?
do i need to enable set 1 afterwards to make it work? how is then the line of rule execution, when
two sets are enabled?
are there any ways to change the set 0 rules while still retaining the functionality of the old
dynamic rules?
- Sten
More information about the freebsd-ipfw
mailing list