IPFW Keep connections during ipfw flush

V

vonunov

Maybe this isn't how it works at all, but I figured I'd try. I lose SSH connection when (I assume) the ipfw flush happens during the ipfw(8) script, and as other people use this box as well it'd be cool to find a way not to affect existing connections. I want to keep IRC connections also, but I'm simplifying this for now.

The best idea I had so far is to make rules in set 31 for this so that those won't be flushed, then remove those rules at the end of the script after the other allow rules are loaded, but the connections still die, so I guess the connection would have to be started using that set 31 rule in the first place?

http://hastebin.com/raw/wazececusi

Any idea?

Thanks
 
I've done this. It works quite well.

The basic logic is:
  1. Disable set 1 (to make sure no rules are loaded from it).
  2. Add your rules to set 1.
  3. Enable set 1. This means you now have two sets of rules that are live.
  4. Swap sets 0 and 1 (thus making your new rules the default set).
  5. Clear/disable set 1 (thus deleting the old rules). You now only have 1 set of rules.
Doing it this way, you always have rules loaded, you don't lose connections or packets, and everything "just works".

Granted, the firewalls I do this on don't use stateful rules, so no idea on whether or not that makes a difference or not.

I have the following at the top of my rules script:
Code: 
# We clear the rules from the temporary set
echo -n "Clearing and disabling set 1 ...... "
$IPFW -f $SETNUM flush
$IPFW set disable 1
echo "done."
And the following at the bottom of the rules script:
Code: 
# Atomically swap the rulesets
echo -n "Swapping rule sets ................ "
$IPFW set enable  1
$IPFW set swap    1 0
$IPFW set disable 1
$IPFW -f $SETNUM flush
echo "done."


echo "    All rules are now loaded.    "

And, every rule in the script starts like so:
Code: 
$IPFW add 65520 $SETNUM ...rest of rule...

$SETNUM is defined in my config file as set 1. You don't need to use that format, you can just type the "set 1" into the rule directly. I just made it a variable in case I ever want to change the set number.

$IPFW is defined in my config file as "/sbin/ipfw -q". I made it a variable so that I can add/remove the -q in one spot, to make debugging the rule-loading easier.

NOTE: you *must* specify a rule number for every rule! You cannot use the auto-numbering feature, as the auto-numbering is global, not per-set. And you will quickly hit the situation where every rule is number 65534, and nothing works! :)
 
Last edited:
Why would you have the "established" connection rule set as "deny"?

Change it to:
Code: 
$cmd 00332 allow tcp from any to any established in via $pif
 
You must log in or register to reply here.
Back
Top