Hello, I'm have been struggling with tuning IPFilter in the following environment.
FreeBSD 6.3. IPFilter is compiled into the kernel (i.e. not using loadable module) IPFILTER_DEFAULT_BLOCK option is set in kernel I am administering the machine remotely over an SSH session so I am always wary of being locked out by the default block condition when ipf pass rules are cleared. ***Q1. Is it possible to boot FreeBSD with IPFilter using non- default tuning values (e.g. fr_tcpidletimeout) when IPfilter is compiled into the kernel? Following the documented methods of setting sysctl parameters in /boot/loader.conf and/or /etc/sysctl.conf fail. e.g. in /boot/loader.conf net.inet.ipf.fr_tcpidletimeout=7200 and/or the same setting in /etc/syctl.conf does not alter the default value during bootup (net.inet.ipf.fr_tcpidletimeout = 864000 after reboot) I understand that after IPfilter is loaded then fr_tcpidletimeout can only be changed when IPFilter is disabled (ipf -D) but can these setting be set during the first load of IPF by the OS? ***Q2. Is disabling and re-enabling IPF using ipf -D/E supposed to clear the loaded rule set and NAT? My testing (below) indicates it seems to. If this is normal - can the man page *please* be updated to say this. Following the ipf man page example: ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E results in a total lockout All network traffic is blocked (the IPFILTER_DEFAULT_BLOCK option). It appears that disabling and re- enabling IPFilter using ipf -D/E *clears the loaded rules* but this fact isn't documented in the man page or documentation that I could find. The state table and NAT rules are also flushed (which makes sense when we are changing the size of it!). With the default block option clearing the PASS rules = death! I found I needed to include my ipf.rules when re-enabling. ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E -f /etc/ipf.rules ^^^ this works. The SSH session is terminated ( I assume the state table is cleared when disabling and re-enabling also), but IP traffic is not blocked and I can start a new SSH session. fr_tcpidletimeout is correctly set to the specified value. sysctl net.inet.ipf.fr_tcpidletimeout: 7200 After reconnecting I then had to manually reload the NAT rules. ipnat -f /etc/ipnat.rules So currently I can only boot the server with the default tuning values and then run a script on bootup to re-tune IPF to my requirements (reloading the block rules and nat rules). ***Q.3 Is there a better way I should be using to tune IPF on bootup? Thanks for any help, Shane
