IPFW2, sets and dynamic rules.

[Simon L. Nielsen]

On 2003.09.01 15:29:36 +0200, Sten Daniel Sørsdal wrote:

> are there any ways to change the set 0 rules while still retaining the
> functionality of the old dynamic rules?

As Luigi said when you delete a rule the coresponding dynamic rules a
deleted as well.

I use the following hack which allows one reload without deleting
running connections.  I basically move all the "old" rules to a disabled
set, so they still exist but aren't active.  That way the dynamic rules
aren't deleted.

    set_nospoof="2"
    set_bandwidth="3"
    set_std="4"
    set_nitro="5"
    set_bogon="6"
    set_old="30"
    # All the default active sets :
    sets_normal="0 $set_nospoof $set_bandwidth $set_std $set_nitro $set_bogon"

    # Clean old set
    ${fwcmd} delete set ${set_old}
    ${fwcmd} set enable ${set_old}

    # Move all rules to special set
    for s in $sets_normal; do
        ${fwcmd} set move ${s} to ${set_old}
    done

    # Disable normal sets so we can safely add to them
    ${fwcmd} set disable $sets_normal

    ${fwcmd} add set ${set_std} reset tcp from any to any 113

# A lot of other rules

    # Now we switch to the new sets
    ${fwcmd} set disable ${set_old} enable ${sets_normal}

Note that this just copy/pasted from my firewall script, but you should
get the idea.

This is not pretty, but it works.

-- 
Simon L. Nielsen
FreeBSD Documentation Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20030901/20a3a972/attachment.bin