From owner-freebsd-ipfw@freebsd.org Wed Sep 5 10:12:10 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3596FEB265 for ; Wed, 5 Sep 2018 10:12:09 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv197.fwdcdn.com (frv197.fwdcdn.com [212.42.77.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.ukr.net", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94BE27ACB1 for ; Wed, 5 Sep 2018 10:12:09 +0000 (UTC) (envelope-from artemrts@ukr.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To: Subject:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7wqfJRhDqqhZJIjRaFdHdlHRrHHzJ1XxHVWmayueLjM=; b=LnUwfy1u2/L0omYFbUil4RpoeG cbedDjF1eRB9G2ePRdFn5BSl3HfYKFZDeo68EDUv/zbS9avB/UTkuQj/FPcg3pw4HrfdDzj5SL3dH b+jHep2TfuK+Ja1s3RL1ppncRHJN/8u+JstQiMU5VmqxTdYMjh0pV+tdbsdXZd3eLIxo=; Received: from [10.10.11.34] (helo=mpop2-frv34.fwdcdn.com) by frv197.fwdcdn.com with smtp ID 1fxUn3-0009w5-FI for freebsd-ipfw@freebsd.org; Wed, 05 Sep 2018 13:12:01 +0300 Date: Wed, 05 Sep 2018 13:12:01 +0300 From: wishmaster Subject: Re: ipfw managing rules - best practice? To: Ole Cc: freebsd-ipfw@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1536142048.486800466.0ltduhtv@mpop2-frv34.fwdcdn.com> In-Reply-To: <20180905112847.54287198.ole@free.de> References: <20180905112847.54287198.ole@free.de> X-Reply-Action: reply Received: from artemrts@ukr.net by mpop2-frv34.fwdcdn.com; Wed, 05 Sep 2018 13:12:01 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 10:12:10 -0000   Hi, here is my approach. I have one ipfw.conf and ipfw.conf.last files. And the script wich does diff of this files and changes only that rule(s) wich has been changed. Therefore no need to reload service ipfw. --- Original message --- From: "Ole" Date: 5 September 2018, 12:29:12 Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" pif="epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50 I understand, that this connections get broken because the dynamic rules get flushed with the `ipfw -q -f flush` command. But commenting this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules. Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole