Date: Wed, 05 Sep 2018 13:12:01 +0300 From: wishmaster <artemrts@ukr.net> To: Ole <ole@free.de> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <1536142048.486800466.0ltduhtv@mpop2-frv34.fwdcdn.com> In-Reply-To: <20180905112847.54287198.ole@free.de> References: <20180905112847.54287198.ole@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, here is my approach. I have one ipfw.conf and ipfw.conf.last files. And the script wich does diff of this files and changes only that rule(s) wich has been changed. Therefore no need to reload service ipfw. --- Original message --- From: "Ole" <ole@free.de> Date: 5 September 2018, 12:29:12 Hi, I'm using ipfw firewall on several machines. Rules are made by users by hand or by configuration management tools. For this the ipfw.rules script sources other files: #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" pif="epair0b" # interface name of NIC attached to Internet $cmd 00010 allow all from any to any via lo0 for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do . $RULES done $cmd 09999 deny log all from any to any If a user or a script alters a file, `service ipfw restart` is called. This is working fine except one thing. Active connections like sql, syslog, ssh, etc. get broken. They are defined like $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50 I understand, that this connections get broken because the dynamic rules get flushed with the `ipfw -q -f flush` command. But commenting this command out results in a continuously growing rules table. With the `ipfw -d list` command I can see the dynamic rules. Is there a way to flush the rules but not the dynamic ones? Or to add them again after flush? How do you reload your rules? Thanks for help Ole
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1536142048.486800466.0ltduhtv>