Date: Wed, 5 Sep 2018 18:33:58 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Ole <ole@free.de>, freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> In-Reply-To: <20180905112847.54287198.ole@free.de> References: <20180905112847.54287198.ole@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM Content-Type: multipart/mixed; boundary="uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Ole <ole@free.de>, freebsd-ipfw@freebsd.org Message-ID: <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> Subject: Re: ipfw managing rules - best practice? References: <20180905112847.54287198.ole@free.de> In-Reply-To: <20180905112847.54287198.ole@free.de> --uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 05.09.2018 12:28, Ole wrote: > I understand, that this connections get broken because the dynamic=20 > rules get flushed with the `ipfw -q -f flush` command. But commenting=20 > this command out results in a continuously growing rules table. >=20 > With the `ipfw -d list` command I can see the dynamic rules.=20 > Is there a way to flush the rules but not the dynamic ones? > Or to add them again after flush? There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to keep dynamic state when parent rule is deleted. But you need to use default_to_accept firewall to make it working. I plan to reimplement this feature to be more useful and work with any rules, and not only with "allow" rules. --=20 WBR, Andrey V. Elsukov --uW7tneBDgT75AaAhqFKb9fujb5G9qcb1G-- --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAluP92YACgkQAcXqBBDI oXoliwf/ZRQfMcLzV0lQsMBWN6G6NOuMa59KyohxWMb8Bj/ubaXbQdV6sGeUR7fD 3PSiYCiUa9d0KNgZOXvqxfN8gAWchl1qfbo0iKMz0F2lk383wUQTBWD6muDaW8oH SKi/cGSUAerPjlfMJIbICpDcDeDLB+eTQnuSJPLKbekHTWn1CRS2vEymdhY1ciiy jgvTC3LY1uhVCm3GKKjQB0qgNXo1EL7a2iZNQ1hWnlVThzYhn5Jb7wkqdPjHzAB3 atcfdcRDwTeZAoo5HuoXm+eXojV/2v/vRBS1BW1D54sR8CLAAwWeZQOU7G5ulJ8P hBAXRfFncWDLHEnz+fm4Pdksr3+jxg== =CJx8 -----END PGP SIGNATURE----- --Ax4Eeh3fAzSZX7v9RGQhIXM6wYYxxKEFM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?67544958-07fe-7ff4-b5d2-88bf85324061>