ipfw managing rules - best practice?
Ole
ole at free.de
Wed Sep 5 09:29:00 UTC 2018
Hi,
I'm using ipfw firewall on several machines. Rules are made by users by
hand or by configuration management tools.
For this the ipfw.rules script sources other files:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
pif="epair0b" # interface name of NIC attached to Internet
$cmd 00010 allow all from any to any via lo0
for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do
. $RULES
done
$cmd 09999 deny log all from any to any
If a user or a script alters a file, `service ipfw restart` is called.
This is working fine except one thing. Active connections like sql,
syslog, ssh, etc. get broken. They are defined like
$cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50
I understand, that this connections get broken because the dynamic
rules get flushed with the `ipfw -q -f flush` command. But commenting
this command out results in a continuously growing rules table.
With the `ipfw -d list` command I can see the dynamic rules.
Is there a way to flush the rules but not the dynamic ones?
Or to add them again after flush?
How do you reload your rules?
Thanks for help
Ole
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20180905/3e2ac4e2/attachment.sig>
More information about the freebsd-ipfw
mailing list