ipfw managing rules - best practice?
Ole
ole at free.de
Tue Oct 23 11:12:33 UTC 2018
Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov"
<bu7cher at yandex.ru>:
> On 05.09.2018 12:28, Ole wrote:
> > I understand, that this connections get broken because the dynamic
> > rules get flushed with the `ipfw -q -f flush` command. But
> > commenting this command out results in a continuously growing rules
> > table.
> >
> > With the `ipfw -d list` command I can see the dynamic rules.
> > Is there a way to flush the rules but not the dynamic ones?
> > Or to add them again after flush?
>
> There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to
> keep dynamic state when parent rule is deleted. But you need to use
> default_to_accept firewall to make it working.
> I plan to reimplement this feature to be more useful and work with any
> rules, and not only with "allow" rules.
Ah, thank you very much. This is exactly what I was searching for. I
deployed it to some machines and it is working well.
One Question: I have lots of hostname dependend rules in lots of jails.
Do you think it is OK to reload the ruleset every 5 min by cron to
re-resolv the hostnames?
regards
Ole
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20181023/a36888a1/attachment.sig>
More information about the freebsd-ipfw
mailing list