ipfw managing rules - best practice?
Ole
ole at free.de
Wed Oct 24 16:23:13 UTC 2018
Tue, 23 Oct 2018 13:12:20 +0200 - Ole <ole at free.de>:
> Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov"
> <bu7cher at yandex.ru>:
>
> > On 05.09.2018 12:28, Ole wrote:
> > > I understand, that this connections get broken because the
> > > dynamic rules get flushed with the `ipfw -q -f flush` command. But
> > > commenting this command out results in a continuously growing
> > > rules table.
> > >
> > > With the `ipfw -d list` command I can see the dynamic rules.
> > > Is there a way to flush the rules but not the dynamic ones?
> > > Or to add them again after flush?
> >
> > There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows
> > to keep dynamic state when parent rule is deleted. But you need to
> > use default_to_accept firewall to make it working.
> > I plan to reimplement this feature to be more useful and work with
> > any rules, and not only with "allow" rules.
>
> Ah, thank you very much. This is exactly what I was searching for. I
> deployed it to some machines and it is working well.
OK, it is not working.
I tested it only on a host system. It was working. When I deployed the
ipfw script to the jails I missed that 'ipfw -q -f flush' was commented
out.
So what happens inside the Jail:
Host:
# sysctl net.inet.ip.fw
net.inet.ip.fw.dyn_keep_states: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_parent_max: 4096
net.inet.ip.fw.dyn_max: 16384
net.inet.ip.fw.dyn_buckets: 8192
net.inet.ip.fw.curr_max_length: 0
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_parent_count: 0
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.enable: 1
net.inet.ip.fw.static_count: 12
net.inet.ip.fw.default_to_accept: 1
net.inet.ip.fw.tables_sets: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
Jail:
# sysctl net.inet.ip.fw
net.inet.ip.fw.dyn_keep_states: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_parent_max: 4096
net.inet.ip.fw.dyn_max: 16384
net.inet.ip.fw.dyn_buckets: 8192
net.inet.ip.fw.curr_max_length: 1
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_parent_count: 0
net.inet.ip.fw.dyn_count: 3
net.inet.ip.fw.enable: 1
net.inet.ip.fw.static_count: 41
net.inet.ip.fw.default_to_accept: 1
net.inet.ip.fw.tables_sets: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
# ipfw -d list
(...)
01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup keep-state :default
(...)
## Dynamic rules (1 152):
01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default
# ipfw -q flush
# ipfw -d list
65535 allow ip from any to any
## Dynamic rules (2 288):
Segmentation fault (core dumped)
It not always ends up with a segmnetation fault. Sometimes there are
'empty' rules (blank lines):
## Dynamic rules (7 968):
01510 STATE tcp xx.xx.xx.xx 48347 <-> xx.xx.xx.xx 6514 :default
01111 STATE udp xx.xx.xx.xx 19693 <-> xx.xx.xx.xx :default
01111 STATE udp xx.xx.xx.xx 45532 <-> xx.xx.xx.xx :default
---End-of-output
I'm using FreeBSD 11.2 with vnet Jails.
regards
Ole
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20181024/52b14581/attachment.sig>
More information about the freebsd-ipfw
mailing list