Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Sep 2003 16:39:03 +0200
From:      =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To:        "Simon L. Nielsen" <simon@FreeBSD.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: IPFW2, sets and dynamic rules.
Message-ID:  <0AF1BBDF1218F14E9B4CCE414744E70F07DF32@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help 
> > are there any ways to change the set 0 rules while still=20
> retaining the
> > functionality of the old dynamic rules?
>=20
> As Luigi said when you delete a rule the coresponding dynamic rules a
> deleted as well.

His answer is correct and im an idiot/impatient (i need my answers=20
straight forward, and can't do this pondering bit).

>=20
> I use the following hack which allows one reload without deleting
> running connections.  I basically move all the "old" rules to=20
> a disabled
> set, so they still exist but aren't active.  That way the=20
> dynamic rules
> aren't deleted.
>=20

isnt this the same thing as a swapping of 0 and 1 ?
after a swap, set 0 will contain the new rules and set 1 will=20
contain the old but will be disabled.=20

[.snip.]
>=20
> Note that this just copy/pasted from my firewall script, but=20
> you should
> get the idea.
>=20
> This is not pretty, but it works.

Thank you for your example script, it made perfectly sense now.

I now do a rotation of 1 through 15 like this;

ipfw set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 enable 0
ipfw -q delete set 16
for HN in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1  =20
do
        ipfw set move $HN to $(( $HN + 1 ))=20
done

alias allow=3D"addrule allow"  # addrule() adds each rule to set 1=20
allow deny=3D"addrule deny"
[...]

	allow tcp from any to any setup keep-state
	[...]

swap 0 1

a redundant enable 0 but i like it my script to make sure nobody
manually did something.

The mistake i did was i re-ran my firewall rules too many times.
(the original script only allowed for one execution and the next=20
would kill the dynamic rule).

- Sten

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F07DF32>