Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Sep 2018 08:38:23 -0700
From:      Freddie Cash <fjwcash@gmail.com>
To:        ole@free.de
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw managing rules - best practice?
Message-ID:  <CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV%2BdaaGnMw@mail.gmail.com>
In-Reply-To: <20180905112847.54287198.ole@free.de>
References:  <20180905112847.54287198.ole@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Sep 5, 2018 at 2:29 AM Ole <ole@free.de> wrote:

> Hi,
>
> I'm using ipfw firewall on several machines. Rules are made by users by
> hand or by configuration management tools.
>
> For this the ipfw.rules script sources other files:
>
> #!/bin/sh
>
> ipfw -q -f flush
> cmd="ipfw -q add"
> pif="epair0b"     # interface name of NIC attached to Internet
> $cmd 00010 allow all from any to any via lo0
> for RULES in `ls  /etc/ipfw.rules.d/*.rules` ; do
>   . $RULES
> done
> $cmd 09999 deny log all from any to any
>
> If a user or a script alters a file, `service ipfw restart` is called.
> This is working fine except one thing. Active connections like sql,
> syslog, ssh, etc. get broken. They are defined like
>
> $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup
> limit src-addr 50
>
> I understand, that this connections get broken because the dynamic
> rules get flushed with the `ipfw -q -f flush` command. But commenting
> this command out results in a continuously growing rules table.
>
> With the `ipfw -d list` command I can see the dynamic rules.
> Is there a way to flush the rules but not the dynamic ones?
> Or to add them again after flush?
>
> How do you reload your rules?
>

Rule sets are made for this.  :)

Edit your script to create a new rule set 1 as the first step.  Then to
insert all the rules into rule set 1.

As the last line of your script, you swap set 1 and set 0, which makes your
new rules live.  It's an atomic switch, so no packets are lost or
connections dropped.  (Note:  I've never used stateful filtering with IPFW
so not sure how the rule set switch interacts with that, but it shouldn't
drop the dynamic connections.)


ipfw -f set 1 flush
ipfw set 1 disable

... all your normal rules, prepended by "set 1"

ipfw set enable 1
ipfw set swap 1 0
ipfw set disable 1
ipfw -f set 1 flush


-- 
Freddie Cash
fjwcash@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ76Gi=MMVSPEpuexN2bBHUankGi3mY196E3GV%2BdaaGnMw>