Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Apr 2005 19:47:59 +1000 (EST)
From:      Neo-Vortex <root@Neo-Vortex.net>
To:        Siddhartha Jain <sid@netmagicsolutions.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPFW disconnections and resets
Message-ID:  <20050429194242.I78552@Neo-Vortex.net>
In-Reply-To: <4272011F.9040707@netmagicsolutions.com>
References:  <4272011F.9040707@netmagicsolutions.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Fri, 29 Apr 2005, Siddhartha Jain wrote:

> I am facing two problems:
> - SSH sessions timeout after a while

In PuTTY or whatever other SSH client you use - enable sending of
keepalive packets (for PuTTY - under connection settings) (not sure if
this is cause of ipfw or what, but the tcp session is timing out)

> - When I run "/sbin/ipfw -q -f flush" in the rules script all connection
> get reset (and I am thrown out of the box).

Yep, standard functionality, easy fix though:

-- Start file /root/bin/fws --
#!/bin/sh
fw > /root/fws-out 2>&1 &
-- End File --

-- Start file /root/bin/fw --
#!/bin/sh

ipfw="ipfw"


# Flush Old Rules
$ipfw -f flush

# Tempoary rules to stop connections being killed when reloading rules
$ipfw add 1 allow tcp from any to any established
$ipfw add 2 allow udp from any to any

<snip> - your rules go here (dont use rule 1 or 2 though)

# Clean up tempoary rules used to stop connections being killed
$ipfw delete 1
$ipfw delete 2
-- End File --

I use that all the time, mabe 1 out of 100 times it will kill a ssh
session (only one that has irssi open cause of the time updating it kills
it, i have it set to update every second though, so normally it'd be like
1 out of 500 or so) and even if it does, it still finishes loading the
ruleset anyway so you can just ssh straight back in

If you havn't guessed, you run /root/bin/fws - you can change it to
whatever you want of course, also, the output is redirected to
/root/fws-out - if you dont redirect it, it'll kill your ssh session -
although it won't stop it loading the other rules

~Neo-Vortex

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050429194242.I78552>