IPFW2, sets and dynamic rules.
Sten Daniel Sørsdal
sten.daniel.sorsdal at wan.no
Mon Sep 1 07:41:41 PDT 2003
> > are there any ways to change the set 0 rules while still
> retaining the
> > functionality of the old dynamic rules?
>
> As Luigi said when you delete a rule the coresponding dynamic rules a
> deleted as well.
His answer is correct and im an idiot/impatient (i need my answers
straight forward, and can't do this pondering bit).
>
> I use the following hack which allows one reload without deleting
> running connections. I basically move all the "old" rules to
> a disabled
> set, so they still exist but aren't active. That way the
> dynamic rules
> aren't deleted.
>
isnt this the same thing as a swapping of 0 and 1 ?
after a swap, set 0 will contain the new rules and set 1 will
contain the old but will be disabled.
[.snip.]
>
> Note that this just copy/pasted from my firewall script, but
> you should
> get the idea.
>
> This is not pretty, but it works.
Thank you for your example script, it made perfectly sense now.
I now do a rotation of 1 through 15 like this;
ipfw set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 enable 0
ipfw -q delete set 16
for HN in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
do
ipfw set move $HN to $(( $HN + 1 ))
done
alias allow="addrule allow" # addrule() adds each rule to set 1
allow deny="addrule deny"
[...]
allow tcp from any to any setup keep-state
[...]
swap 0 1
a redundant enable 0 but i like it my script to make sure nobody
manually did something.
The mistake i did was i re-ran my firewall rules too many times.
(the original script only allowed for one execution and the next
would kill the dynamic rule).
- Sten
More information about the freebsd-ipfw
mailing list