From owner-freebsd-security Thu Oct 18 1:39: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 47D7F37B408 for ; Thu, 18 Oct 2001 01:39:03 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.137.205.Dial1.SanJose1.Level3.net [209.247.137.205]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA10676; Thu, 18 Oct 2001 01:39:00 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9I8cvW03103; Thu, 18 Oct 2001 01:38:57 -0700 (PDT) (envelope-from cjc) Date: Thu, 18 Oct 2001 01:38:56 -0700 From: "Crist J. Clark" To: Drew Tomlinson Cc: Mark.Andrews@isc.org, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic IPFW Rules Message-ID: <20011018013856.C373@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200110172350.f9HNor915316@drugs.dv.isc.org> <000d01c15777$1b9a8240$0301a8c0@bigdaddy> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000d01c15777$1b9a8240$0301a8c0@bigdaddy>; from drew@mykitchentable.net on Wed, Oct 17, 2001 at 06:49:21PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote: > ----- Original Message ----- > From: > To: "Drew Tomlinson" > Cc: > Sent: Wednesday, October 17, 2001 4:50 PM > Subject: Re: Dynamic IPFW Rules > > > > > > > I have created my first firewall and it seems to be handling > traffic > > > properly (yayyyy!). However, I have noticed that my dynamic rules > don't > > > ever seem to expire. > > > > [snip] > > > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> 64.21.143.23 > 80 > > > > This is expired (T 0), just not removed. > > OK, thanks. Is there a way to remove those rules that have expired? You can remove the parent rule. IIRC, they get removed if they get hit. If you reach the limit, I believe it starts to overwrite expired rules. I would have to look at the code more closely to remember. Another option is to make a shell script or alias that drops expired rules, ipfw show | awk -F'[ ,]' '$5 != 0 { print }' Does it. I have a longer script that does this and also prints rules by interface, #!/bin/sh # # ipfwsh - 2000/10/28, cjc # # Cut down verbosity of 'ipfw show' output if [ $# -gt 1 ]; then # Bad command line echo "ipfwsh: bad args" >&2 echo "Usage: ipfwsh [iface]" >&2 exit 1 elif [ $# -eq 0 ]; then # Print whole list, just cut expired dynamic rules ipfw show | awk -F'[ ,]' '$5 != 0 { print }' else # An interface name was given, note there is no failure if # name is not valid ipfw show | awk -v"iface=$1" '/^## Dynamic rules:/ { exit } $0 ~ iface { print; next } /(via|recv|xmit)/ { next } { print }' fi -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message