Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov" <[email protected]>:
> On 05.09.2018 12:28, Ole wrote: > > I understand, that this connections get broken because the dynamic > > rules get flushed with the `ipfw -q -f flush` command. But > > commenting this command out results in a continuously growing rules > > table. > > > > With the `ipfw -d list` command I can see the dynamic rules. > > Is there a way to flush the rules but not the dynamic ones? > > Or to add them again after flush? > > There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows to > keep dynamic state when parent rule is deleted. But you need to use > default_to_accept firewall to make it working. > I plan to reimplement this feature to be more useful and work with any > rules, and not only with "allow" rules. Ah, thank you very much. This is exactly what I was searching for. I deployed it to some machines and it is working well. One Question: I have lots of hostname dependend rules in lots of jails. Do you think it is OK to reload the ruleset every 5 min by cron to re-resolv the hostnames? regards Ole
pgptjBX2xwjjQ.pgp
Description: Digitale Signatur von OpenPGP
