ipfw managing rules - best practice?
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Sep 5 15:35:22 UTC 2018
On 05.09.2018 12:28, Ole wrote:
> I understand, that this connections get broken because the dynamic
> rules get flushed with the `ipfw -q -f flush` command. But commenting
> this command out results in a continuously growing rules table.
>
> With the `ipfw -d list` command I can see the dynamic rules.
> Is there a way to flush the rules but not the dynamic ones?
> Or to add them again after flush?
There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to
keep dynamic state when parent rule is deleted. But you need to use
default_to_accept firewall to make it working.
I plan to reimplement this feature to be more useful and work with any
rules, and not only with "allow" rules.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20180905/73aebffb/attachment.sig>
More information about the freebsd-ipfw
mailing list