Tue, 23 Oct 2018 13:12:20 +0200 - Ole <o...@free.de>: > Wed, 5 Sep 2018 18:33:58 +0300 - "Andrey V. Elsukov" > <bu7c...@yandex.ru>: > > > On 05.09.2018 12:28, Ole wrote: > > > I understand, that this connections get broken because the > > > dynamic rules get flushed with the `ipfw -q -f flush` command. But > > > commenting this command out results in a continuously growing > > > rules table. > > > > > > With the `ipfw -d list` command I can see the dynamic rules. > > > Is there a way to flush the rules but not the dynamic ones? > > > Or to add them again after flush? > > > > There is net.inet.ip.fw.dyn_keep_states sysctl variable. It allows > > to keep dynamic state when parent rule is deleted. But you need to > > use default_to_accept firewall to make it working. > > I plan to reimplement this feature to be more useful and work with > > any rules, and not only with "allow" rules. > > Ah, thank you very much. This is exactly what I was searching for. I > deployed it to some machines and it is working well.
OK, it is not working. I tested it only on a host system. It was working. When I deployed the ipfw script to the jails I missed that 'ipfw -q -f flush' was commented out. So what happens inside the Jail: Host: # sysctl net.inet.ip.fw net.inet.ip.fw.dyn_keep_states: 1 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_parent_max: 4096 net.inet.ip.fw.dyn_max: 16384 net.inet.ip.fw.dyn_buckets: 8192 net.inet.ip.fw.curr_max_length: 0 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_parent_count: 0 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.enable: 1 net.inet.ip.fw.static_count: 12 net.inet.ip.fw.default_to_accept: 1 net.inet.ip.fw.tables_sets: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 Jail: # sysctl net.inet.ip.fw net.inet.ip.fw.dyn_keep_states: 1 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_parent_max: 4096 net.inet.ip.fw.dyn_max: 16384 net.inet.ip.fw.dyn_buckets: 8192 net.inet.ip.fw.curr_max_length: 1 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_parent_count: 0 net.inet.ip.fw.dyn_count: 3 net.inet.ip.fw.enable: 1 net.inet.ip.fw.static_count: 41 net.inet.ip.fw.default_to_accept: 1 net.inet.ip.fw.tables_sets: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 # ipfw -d list (...) 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup keep-state :default (...) ## Dynamic rules (1 152): 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default # ipfw -q flush # ipfw -d list 65535 allow ip from any to any ## Dynamic rules (2 288): Segmentation fault (core dumped) It not always ends up with a segmnetation fault. Sometimes there are 'empty' rules (blank lines): ## Dynamic rules (7 968): 01510 STATE tcp xx.xx.xx.xx 48347 <-> xx.xx.xx.xx 6514 :default 01111 STATE udp xx.xx.xx.xx 19693 <-> xx.xx.xx.xx :default 01111 STATE udp xx.xx.xx.xx 45532 <-> xx.xx.xx.xx :default ---End-of-output I'm using FreeBSD 11.2 with vnet Jails. regards Ole
pgpu3fLhFBb7L.pgp
Description: Digitale Signatur von OpenPGP