From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 10:30:46 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEDC416A4D0 for ; Fri, 29 Apr 2005 10:30:45 +0000 (GMT) Received: from mymail.netmagicians.com (mymail.netmagicians.com [202.87.39.126]) by mx1.FreeBSD.org (Postfix) with SMTP id 4997243D55 for ; Fri, 29 Apr 2005 10:30:44 +0000 (GMT) (envelope-from sid@netmagicsolutions.com) Received: (qmail 12849 invoked from network); 29 Apr 2005 10:31:18 -0000 Received: from intra.netmagicsolutions.com (HELO ?127.0.0.1?) (202.87.39.242) by mymail.netmagicians.com with SMTP; 29 Apr 2005 10:31:18 -0000 Message-ID: <42720CD0.3080300@netmagicsolutions.com> Date: Fri, 29 Apr 2005 16:00:40 +0530 From: Siddhartha Jain User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> In-Reply-To: <20050429194242.I78552@Neo-Vortex.net> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 10:30:46 -0000 Neo-Vortex wrote: >>- When I run "/sbin/ipfw -q -f flush" in the rules script all connection >>get reset (and I am thrown out of the box). > > > Yep, standard functionality, easy fix though: > > -- Start file /root/bin/fws -- > #!/bin/sh > fw > /root/fws-out 2>&1 & > -- End File -- > > -- Start file /root/bin/fw -- > #!/bin/sh > > ipfw="ipfw" > > > # Flush Old Rules > $ipfw -f flush > > # Tempoary rules to stop connections being killed when reloading rules > $ipfw add 1 allow tcp from any to any established > $ipfw add 2 allow udp from any to any > > - your rules go here (dont use rule 1 or 2 though) > > # Clean up tempoary rules used to stop connections being killed > $ipfw delete 1 > $ipfw delete 2 > -- End File -- > > I use that all the time, mabe 1 out of 100 times it will kill a ssh > session (only one that has irssi open cause of the time updating it kills > it, i have it set to update every second though, so normally it'd be like > 1 out of 500 or so) and even if it does, it still finishes loading the > ruleset anyway so you can just ssh straight back in > > If you havn't guessed, you run /root/bin/fws - you can change it to > whatever you want of course, also, the output is redirected to > /root/fws-out - if you dont redirect it, it'll kill your ssh session - > although it won't stop it loading the other rules Thanks :) My changed rule file looks like this: ----start file ipfw.rules----------- #!/bin/sh /sbin/ipfw -q -f flush cmd="/sbin/ipfw add " # build rule prefix ks="keep-state" # just too lazy to key this each time /sbin/ipfw add 1 allow tcp from any to any established ##################################### $cmd 00500 check-state $cmd 00502 deny all from any to any frag #$cmd 00501 deny tcp from any to any established $cmd 00602 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks $cmd 00603 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks $cmd 00604 allow all from 20x.xx.xx.xx/32 to any out via ed0 $ks $cmd 00609 allow tcp from 22x.xx.0.0/16 to any 22 in via ed0 $ks $cmd 00610 allow icmp from 22x.xx.0.0/16 to any in via ed0 $ks $cmd 00611 allow tcp from 220.xx.0.0/16 to any 22 in via ed0 $ks $cmd 00612 allow icmp from 220.xx.0.0/16 to any in via ed0 $ks $cmd 02500 divert 8000 log tcp from any to any 80 $cmd 02501 allow tcp from any to any 80 in via ed0 $ks ##################################### /sbin/ipfw delete 1 ----end file ipfw.rules----------- Even if I run this script as it is (without running from within another script and redirecting), I don't get disconnected. Thanks again, - Siddhartha