From owner-freebsd-ipfw@freebsd.org Wed Sep 5 15:38:37 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 403DCFF420D for ; Wed, 5 Sep 2018 15:38:37 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9A11F865B9 for ; Wed, 5 Sep 2018 15:38:36 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lj1-x22e.google.com with SMTP id u83-v6so6614945lje.12 for ; Wed, 05 Sep 2018 08:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vi4vfuTq0Czk3mw5WeNTFbv5JYq1FxX3StcoUOKGMSY=; b=CQkYkkXkfVndZSB35AafpW6WuneJ5mQyXjpUPostKX3JQpINx7VHfoJBR6aIuHHtnq 09xIYBwWmAwtMl2KO59diH8NsYykCCCeibHqQyilAkzHD3oPSSFQiakWhu9muZUMfJq/ G3BlFhPsIgDYDAJzvPV9wdu0n5I/CFvs/kZviho0TiUDLz6llP9hfuFLRjs+cPr3V+Yv 56HqecICnIXS9R3yRe9XtxpBQpPCQuFMja7GfpY+H3l4c2mDchOlElNbG+CxPExyGpAE fCPNehBMKCgaOBIiCjF4J5jpdBbI+QtTxnxmKqYnJm9s58vU5M7X0pXaRcMlscNWBlAF j7dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vi4vfuTq0Czk3mw5WeNTFbv5JYq1FxX3StcoUOKGMSY=; b=p6Kcq0AbXWva1e7d0YYz+tQgFnvCHGuu/VC0kRHajfSqGXKGByEcPEWpnbaMvokLau fAloXHa9a2CNzI0ZWTCXiY8FknYVZYcZkEaPGHRVY9E3+IKnyIYzFv3TInDV5KkP0+kO hXJIXf6V44oN5uxvcKDpgHZLmEeaOi/MbJgE9UI7jzRaWx7psaBPEbtMBoxJvWitqpTX QLqMM0qpzUGD0aJTI0es3+sUaZUco33/lFIBwv361KrEZhSXNv9Q1MSSAOWxx32EftIm tfny1uKid7PJvRCRE4NppAXS8G5613BgRqo37OLsoul/cVeP8m2+EZbEj3adSFXhi0O0 qkBA== X-Gm-Message-State: APzg51C9BptK47oz4UkiVF3iX3rBTse1qSVrgVIv2qjT43sZcnOJk9Q1 rS2V9uSE90xHszlHhqD9bPRVh3FsvOT9fYR+XxaL1Q== X-Google-Smtp-Source: ANB0VdabxsRuB3A0ehYbfQTmD+agdpmyFIBjf9qFPWl/fASb1DiGJGCYp4fS6qNYJWR9//ur3aNYbDYsa/dhxPTS2ZY= X-Received: by 2002:a2e:350b:: with SMTP id z11-v6mr24443405ljz.55.1536161915212; Wed, 05 Sep 2018 08:38:35 -0700 (PDT) MIME-Version: 1.0 References: <20180905112847.54287198.ole@free.de> In-Reply-To: <20180905112847.54287198.ole@free.de> From: Freddie Cash Date: Wed, 5 Sep 2018 08:38:23 -0700 Message-ID: Subject: Re: ipfw managing rules - best practice? To: ole@free.de Cc: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 15:38:37 -0000 On Wed, Sep 5, 2018 at 2:29 AM Ole wrote: > Hi, > > I'm using ipfw firewall on several machines. Rules are made by users by > hand or by configuration management tools. > > For this the ipfw.rules script sources other files: > > #!/bin/sh > > ipfw -q -f flush > cmd="ipfw -q add" > pif="epair0b" # interface name of NIC attached to Internet > $cmd 00010 allow all from any to any via lo0 > for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do > . $RULES > done > $cmd 09999 deny log all from any to any > > If a user or a script alters a file, `service ipfw restart` is called. > This is working fine except one thing. Active connections like sql, > syslog, ssh, etc. get broken. They are defined like > > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup > limit src-addr 50 > > I understand, that this connections get broken because the dynamic > rules get flushed with the `ipfw -q -f flush` command. But commenting > this command out results in a continuously growing rules table. > > With the `ipfw -d list` command I can see the dynamic rules. > Is there a way to flush the rules but not the dynamic ones? > Or to add them again after flush? > > How do you reload your rules? > Rule sets are made for this. :) Edit your script to create a new rule set 1 as the first step. Then to insert all the rules into rule set 1. As the last line of your script, you swap set 1 and set 0, which makes your new rules live. It's an atomic switch, so no packets are lost or connections dropped. (Note: I've never used stateful filtering with IPFW so not sure how the rule set switch interacts with that, but it shouldn't drop the dynamic connections.) ipfw -f set 1 flush ipfw set 1 disable ... all your normal rules, prepended by "set 1" ipfw set enable 1 ipfw set swap 1 0 ipfw set disable 1 ipfw -f set 1 flush -- Freddie Cash fjwcash@gmail.com