Wed, 5 Sep 2018 08:38:23 -0700 - Freddie Cash <[email protected]>: > On Wed, Sep 5, 2018 at 2:29 AM Ole <[email protected]> wrote: > > > Hi, > > > > I'm using ipfw firewall on several machines. Rules are made by > > users by hand or by configuration management tools. > > > > For this the ipfw.rules script sources other files: > > > > #!/bin/sh > > > > ipfw -q -f flush > > cmd="ipfw -q add" > > pif="epair0b" # interface name of NIC attached to Internet > > $cmd 00010 allow all from any to any via lo0 > > for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do > > . $RULES > > done > > $cmd 09999 deny log all from any to any > > > > If a user or a script alters a file, `service ipfw restart` is > > called. This is working fine except one thing. Active connections > > like sql, syslog, ssh, etc. get broken. They are defined like > > > > $cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup > > limit src-addr 50 > > > > I understand, that this connections get broken because the dynamic > > rules get flushed with the `ipfw -q -f flush` command. But > > commenting this command out results in a continuously growing rules > > table. > > > > With the `ipfw -d list` command I can see the dynamic rules. > > Is there a way to flush the rules but not the dynamic ones? > > Or to add them again after flush? > > > > How do you reload your rules? > > > > Rule sets are made for this. :) > > Edit your script to create a new rule set 1 as the first step. Then > to insert all the rules into rule set 1. > > As the last line of your script, you swap set 1 and set 0, which > makes your new rules live. It's an atomic switch, so no packets are > lost or connections dropped. (Note: I've never used stateful > filtering with IPFW so not sure how the rule set switch interacts > with that, but it shouldn't drop the dynamic connections.)
I'm sorry. I just tested this approach and it drops the dynamic rules. > ipfw -f set 1 flush > ipfw set 1 disable > > ... all your normal rules, prepended by "set 1" > > ipfw set enable 1 > ipfw set swap 1 0 > ipfw set disable 1 > ipfw -f set 1 flush > >
pgp6xVrfQqXwj.pgp
Description: Digitale Signatur von OpenPGP
