Any "Best Pratice" for update existing rules?

Tue, 21 Dec 2004 09:52:50 -0800 

Hi all,
        Is there anyway to modify the existing rules? Here is smaple of
my rules export by ipfstat -hi
block in log quick on rl0 from any to any with short
block in log quick on rl0 from any to any with ipopt
block in log quick on rl0 from any to any head 200
block in log quick on rl0 from 0.0.0.0/8 to any group 200
block in log quick on rl0 from 1.0.0.0/8 to any group 200
block in log quick on rl0 from 2.0.0.0/8 to any group 200
block in log quick on rl0 from 192.0.2.0/24 to any group 200
block in log quick on rl0 from 224.0.0.0/3 to any group 200
block in log quick on rl0 from 10.0.0.0/8 to any group 200
block in log quick on rl0 from 172.16.0.0/12 to any group 200
block in log quick on rl0 from 192.168.0.0/16 to any group 200
pass in quick on rl0 proto tcp from any to 10.0.0.1/32 port = 80 flags
S/FSRPAU keep state keep frags group 200
pass in quick on rl0 proto tcp from any to 10.0.0.2/32 port = 25 flags
S/FSRPAU keep state keep frags group 200
pass in quick on rl0 proto tcp from any to 10.0.0.3/32 port = 23 flags
S/FSRPAU keep state keep frags group 200
pass in quick on rl0 proto udp from 0.0.0.0/0 to 123.123.123.123/32 port
= 500 keep state group 200
pass in quick on rl0 proto esp from 0.0.0.0/0 to 123.123.123.123/32 keep
state group 200
pass in quick on rl0 proto ah from 0.0.0.0/0 to 123.123.123.123/32 keep
state group 200
pass in quick on rl0 proto ipencap from 0.0.0.0/0 to 123.123.123.123/32
keep state group 200
        For example, I would like to add 
block in quick on rl0 proto tcp from 234.234.234.234/32 to 10.0.0.1/32
port = 80 flags S/FSRPAU keep state keep frags group 200
before the rules 
pass in quick on rl0 proto tcp from any to 10.0.0.1/32 port = 80 flags
S/FSRPAU keep state keep frags group 200
if I use 
echo " block in quick on rl0 proto tcp from 234.234.234.234/32 to
10.0.0.1/32 port = 80 flags S/FSRPAU keep state keep frags group 200" |
/sbin/ipf -f -
        The host will not blocked as the rules will append to the bottom
of the rules. Is there any way to insert the rules into certain line? If
not, is it I have to flush the rules and load again. If I flush the
rules and flush the state tables, the existing connection will lost, if
I flush the rules without flushing the state table, suppose the existing
connection won't lost? 
Thanks you very much.
Regards,
Fai

Reply via email to