Re: ipf restart and states question

Mon, 31 Mar 2003 10:49:03 -0800 

Thank you all for information. Your answers are very helpfull.

I have note for Jim - reload is not restart. You can;t reload if you
upgrade, yes ? Also you will run in problems with states after reload  you
add rules I specified in my previous letter to your existing configuration
file, that had no "keep state" instructions before.

Probably conclusion is that rules with states is better to implement only
before reboot. Othervise there must be rules, that ensure normal
communication for already established connections. If I will include new
rules with keep state in existing empty configuration file - active
connections will fail also after simple reload.

Thanks again for responses.


With best regards
Martynas

----- Original Message -----
From: "Jim Sandoz" <[EMAIL PROTECTED]>
To: "rmkml" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, March 31, 2003 7:10 PM
Subject: Re: ipf restart and states question


>
> # after making changes to ipf.conf:
> # /etc/init.d/ipfboot reload
> #
> # or via brute force:
> # /etc/init.d/ipfboot stop; sleep 1; /etc/init.d/ipfboot start
>
> if you reload instead of stop/start, states are not killed.
>
> see the ipf.tar.gz source file for the complete ipfboot script.
> but the important piece is:
>
> [...]
> reload)
>                  if [ -r ${IPFILCONF} ]; then
>                          ipf -I -Fa -f ${IPFILCONF}
> [...]
>
> i also suggest reading the output of "man -s 8 ipf".
>
> jim
>
>
>
>
> rmkml wrote:
> > Hi Martynas,
> >
> > If you stop and start (or restart),
> >
> > ipfilter loose state information ...
> >
> > If you keep state :
> >
> > A) Save state in file ????? (and reload of course)
> >
> > B) wait ipfilter v4
> >
> > C) Add temporarily in your rules : flags A
> > (accept all packet with tcp flags Ack)
> >
> > A) : http://false.net/ipfilter/2001_06/0292.html
> >
> > Regard
> >
> >
> > Martynas Buozis wrote:
> >
> >
> >>Hello
> >>
> >>I have rules like :
> >>
> >>block out log quick all head 100
> >>pass out quick proto tcp all flags S keep state keep frags group 100
> >>pass out quick proto udp all keep state keep frags group 100
> >>pass out quick proto icmp all keep state keep frags group 100
> >>
> >>If I restart ipf - state's are lost and all existing outgoing network
> >>connections are lost. Is there a way to restart (stop and start after
> >>some time) ipf with rules above not loosing already existing connections
?
> >>
> >>Thank you for your help.
> >>
> >>WBR
> >>Martynas
> >
> >
>
>

Reply via email to