From owner-freebsd-ipfw@freebsd.org Thu Feb 2 14:52:43 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F93DCCD5D4 for ; Thu, 2 Feb 2017 14:52:43 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E7DE921 for ; Thu, 2 Feb 2017 14:52:40 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v12EqTvp005303; Fri, 3 Feb 2017 01:52:29 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 3 Feb 2017 01:52:29 +1100 (EST) From: Ian Smith To: Francisco Ramon cc: freebsd-ipfw@freebsd.org Subject: Re: Reload rules In-Reply-To: Message-ID: <20170203014041.K33334@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 14:52:43 -0000 On Thu, 2 Feb 2017 12:08:31 -0200, Francisco Ramon wrote: > Hello! > I´m trying to biuld a IPFW script and i´m using some dynamic rules > (with keep-state). The problem occur when I need to restart the > script, to reload new or eddited rules... When I execute the "ipfw -f > flush", off course dynamic rules are erased. The problem is: Some or > all of then in my case, should not be erased. Is there any > possibility to reload the rules, keeping the dynamic rules? I don't know (by trying it) whether this will work, but ipfw(8) says: set set_number [..] Set 31 is special in that it cannot be disabled, and rules in set 31 are not deleted by the ipfw flush command (but you can delete them with the ipfw delete set 31 command). Set 31 is also used for the default rule. So you could try adding your dynamic rules to set 31 and check that they (and unexpired dynamic flows) survive a flush, with 'ipfw -ted show' ? cheers, Ian