IPFW disconnections and resets

Siddhartha Jain sid at netmagicsolutions.com
Fri Apr 29 03:30:46 PDT 2005 

Neo-Vortex wrote:
>>- When I run "/sbin/ipfw -q -f flush" in the rules script all connection
>>get reset (and I am thrown out of the box).
> 
> 
> Yep, standard functionality, easy fix though:
> 
> -- Start file /root/bin/fws --
> #!/bin/sh
> fw > /root/fws-out 2>&1 &
> -- End File --
> 
> -- Start file /root/bin/fw --
> #!/bin/sh
> 
> ipfw="ipfw"
> 
> 
> # Flush Old Rules
> $ipfw -f flush
> 
> # Tempoary rules to stop connections being killed when reloading rules
> $ipfw add 1 allow tcp from any to any established
> $ipfw add 2 allow udp from any to any
> 
> <snip> - your rules go here (dont use rule 1 or 2 though)
> 
> # Clean up tempoary rules used to stop connections being killed
> $ipfw delete 1
> $ipfw delete 2
> -- End File --
> 
> I use that all the time, mabe 1 out of 100 times it will kill a ssh
> session (only one that has irssi open cause of the time updating it kills
> it, i have it set to update every second though, so normally it'd be like
> 1 out of 500 or so) and even if it does, it still finishes loading the
> ruleset anyway so you can just ssh straight back in
> 
> If you havn't guessed, you run /root/bin/fws - you can change it to
> whatever you want of course, also, the output is redirected to
> /root/fws-out - if you dont redirect it, it'll kill your ssh session -
> although it won't stop it loading the other rules

Thanks :)

My changed rule file looks like this:

----start file ipfw.rules-----------
#!/bin/sh
/sbin/ipfw -q -f flush

cmd="/sbin/ipfw  add "     # build rule prefix
ks="keep-state"        # just too lazy to key this each time

/sbin/ipfw  add 1 allow tcp from any to any established
#####################################

$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
#$cmd 00501 deny tcp from any to any established

$cmd 00602 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks
$cmd 00603 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks
$cmd 00604 allow all from 20x.xx.xx.xx/32 to any out via ed0 $ks


$cmd 00609 allow tcp from 22x.xx.0.0/16 to any 22 in via ed0 $ks
$cmd 00610 allow icmp from 22x.xx.0.0/16 to any in via ed0 $ks

$cmd 00611 allow tcp from 220.xx.0.0/16 to any 22 in via ed0 $ks
$cmd 00612 allow icmp from 220.xx.0.0/16 to any in via ed0 $ks

$cmd 02500 divert 8000 log tcp from any to any 80
$cmd 02501 allow tcp from any  to any 80 in via ed0 $ks

#####################################
/sbin/ipfw  delete 1
----end  file ipfw.rules-----------

Even if I run this script as it is (without running from within another
script and redirecting), I don't get disconnected.

Thanks again,

- Siddhartha

More information about the freebsd-security mailing list