IPFW2, sets and dynamic rules.

Luigi Rizzo rizzo at icir.org
Mon Sep 1 06:53:34 PDT 2003 

dynamic rules do not survive a delete, so your "delete set 1" is what
kills your connections.

	cheers
	luigi

On Mon, Sep 01, 2003 at 03:29:36PM +0200, Sten Daniel Sørsdal wrote:
> 
> Being a complete ipfw idiot, i hoped someone could clarify this to me.
> 
> I wrote a simple firewall script that uses dynamic rules (stateful rules).
> It's basically like this (handwritten, real script is alot bigger);
> 
> =====
> 
> ipfw set disable 1
> ipfw -q delete set 1
> ipfw set disable 1
> 
> ipfw add 100 set 1 check-state
> ipfw add 101 set 1 skipto 1000 ip from any to any in via fxp0	// internet
> ipfw add 102 set 1 skipto 2000 ip from any to any out via fxp0	
> ipfw add 103 set 1 skipto 3000 ip from any to any in via fxp1	// lan
> ipfw add 104 set 1 skipto 4000 ip from any to any out via fxp1
> ipfw add 105 set 1 allow ip from any to any
> 
> ipfw add 1000 set 1 deny ip from any to any
> 
> ipfw add 2000 set 1 allow ip from me to any keep-state
> ipfw add 2001 set 1 deny ip from any to any
> 
> ipfw add 3000 set 1 allow tcp from 192.168.0.0/16 to any setup keep-state
> ipfw add 3001 set 1 allow udp from 192.186.0.0/16 to any keep-state
> ipfw add 3002 set 1 deny ip from any to any
> 
> ipfw add 4000 set 1 allow ip from me to any keep-state
> ipfw add 4001 set 1 deny ip from any to any
> 
> ipfw set swap 0 1
> 
> ============
> 
> after the swap, the dynamic rules that were added when runnin on set 0 to begin with (same script).
> does seem to work at first glance however if i add a rule at say 100 and shift all other rules down, 
> and re-run the script then what happens with the dynamic rules? the tcp connections break.
> 
> do the dynamic rules always point to the same set or do the point to the new set when i run swap?
> 
> do i need to enable set 1 afterwards to make it work? how is then the line of rule execution, when
> two sets are enabled? 
> 
> are there any ways to change the set 0 rules while still retaining the functionality of the old
> dynamic rules?
> 
> 
> - Sten
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list