ipfw managing rules - best practice?

Ole ole at free.de
Thu Sep 6 11:02:44 UTC 2018 

Wed, 5 Sep 2018 08:38:23 -0700 - Freddie Cash <fjwcash at gmail.com>:

> On Wed, Sep 5, 2018 at 2:29 AM Ole <ole at free.de> wrote:
> 
> > Hi,
> >
> > I'm using ipfw firewall on several machines. Rules are made by
> > users by hand or by configuration management tools.
> >
> > For this the ipfw.rules script sources other files:
> >
> > #!/bin/sh
> >
> > ipfw -q -f flush
> > cmd="ipfw -q add"
> > pif="epair0b"     # interface name of NIC attached to Internet
> > $cmd 00010 allow all from any to any via lo0
> > for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
> >   . $RULES
> > done
> > $cmd 09999 deny log all from any to any
> >
> > If a user or a script alters a file, `service ipfw restart` is
> > called. This is working fine except one thing. Active connections
> > like sql, syslog, ssh, etc. get broken. They are defined like
> >
> > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup
> > limit src-addr 50
> >
> > I understand, that this connections get broken because the dynamic
> > rules get flushed with the `ipfw -q -f flush` command. But
> > commenting this command out results in a continuously growing rules
> > table.
> >
> > With the `ipfw -d list` command I can see the dynamic rules.
> > Is there a way to flush the rules but not the dynamic ones?
> > Or to add them again after flush?
> >
> > How do you reload your rules?
> >
> 
> Rule sets are made for this.  :)
> 
> Edit your script to create a new rule set 1 as the first step.  Then
> to insert all the rules into rule set 1.
> 
> As the last line of your script, you swap set 1 and set 0, which
> makes your new rules live.  It's an atomic switch, so no packets are
> lost or connections dropped.  (Note:  I've never used stateful
> filtering with IPFW so not sure how the rule set switch interacts
> with that, but it shouldn't drop the dynamic connections.)


I'm sorry. I just tested this approach and it drops the dynamic rules.


> ipfw -f set 1 flush
> ipfw set 1 disable
> 
> ... all your normal rules, prepended by "set 1"
> 
> ipfw set enable 1
> ipfw set swap 1 0
> ipfw set disable 1
> ipfw -f set 1 flush
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20180906/39f7cb88/attachment.sig>

More information about the freebsd-ipfw mailing list