Date: Thu, 18 Oct 2001 01:38:56 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Drew Tomlinson <drew@mykitchentable.net> Cc: Mark.Andrews@isc.org, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic IPFW Rules Message-ID: <20011018013856.C373@blossom.cjclark.org> In-Reply-To: <000d01c15777$1b9a8240$0301a8c0@bigdaddy>; from drew@mykitchentable.net on Wed, Oct 17, 2001 at 06:49:21PM -0700 References: <200110172350.f9HNor915316@drugs.dv.isc.org> <000d01c15777$1b9a8240$0301a8c0@bigdaddy>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote:
> ----- Original Message -----
> From: <Mark.Andrews@isc.org>
> To: "Drew Tomlinson" <drew@mykitchentable.net>
> Cc: <freebsd-security@freebsd.org>
> Sent: Wednesday, October 17, 2001 4:50 PM
> Subject: Re: Dynamic IPFW Rules
>
>
> >
> > > I have created my first firewall and it seems to be handling
> traffic
> > > properly (yayyyy!). However, I have noticed that my dynamic rules
> don't
> > > ever seem to expire.
> >
> > [snip]
> >
> > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> 64.21.143.23
> 80
> >
> > This is expired (T 0), just not removed.
>
> OK, thanks. Is there a way to remove those rules that have expired?
You can remove the parent rule. IIRC, they get removed if they get
hit. If you reach the limit, I believe it starts to overwrite expired
rules. I would have to look at the code more closely to remember.
Another option is to make a shell script or alias that drops expired
rules,
ipfw show | awk -F'[ ,]' '$5 != 0 { print }'
Does it. I have a longer script that does this and also prints rules
by interface,
#!/bin/sh
#
# ipfwsh - 2000/10/28, cjc
#
# Cut down verbosity of 'ipfw show' output
if [ $# -gt 1 ]; then
# Bad command line
echo "ipfwsh: bad args" >&2
echo "Usage: ipfwsh [iface]" >&2
exit 1
elif [ $# -eq 0 ]; then
# Print whole list, just cut expired dynamic rules
ipfw show |
awk -F'[ ,]' '$5 != 0 { print }'
else
# An interface name was given, note there is no failure if
# name is not valid
ipfw show |
awk -v"iface=$1" '/^## Dynamic rules:/ { exit } $0 ~ iface { print; next } /(via|recv|xmit)/ { next } { print }'
fi
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018013856.C373>