Re: IPFW disconnections and resets

From: Siddhartha Jain (sid_at_netmagicsolutions.com)
Date: 04/29/05

  • Next message: Neo-Vortex: "Re: IPFW disconnections and resets" 
    Date: Fri, 29 Apr 2005 16:00:40 +0530
To: freebsd-security@freebsd.org

    Neo-Vortex wrote:
    >>- When I run "/sbin/ipfw -q -f flush" in the rules script all connection
    >>get reset (and I am thrown out of the box).
    >
    >
    > Yep, standard functionality, easy fix though:
    >
    > -- Start file /root/bin/fws --
    > #!/bin/sh
    > fw > /root/fws-out 2>&1 &
    > -- End File --
    >
    > -- Start file /root/bin/fw --
    > #!/bin/sh
    >
    > ipfw="ipfw"
    >
    >
    > # Flush Old Rules
    > $ipfw -f flush
    >
    > # Tempoary rules to stop connections being killed when reloading rules
    > $ipfw add 1 allow tcp from any to any established
    > $ipfw add 2 allow udp from any to any
    >
    > <snip> - your rules go here (dont use rule 1 or 2 though)
    >
    > # Clean up tempoary rules used to stop connections being killed
    > $ipfw delete 1
    > $ipfw delete 2
    > -- End File --
    >
    > I use that all the time, mabe 1 out of 100 times it will kill a ssh
    > session (only one that has irssi open cause of the time updating it kills
    > it, i have it set to update every second though, so normally it'd be like
    > 1 out of 500 or so) and even if it does, it still finishes loading the
    > ruleset anyway so you can just ssh straight back in
    >
    > If you havn't guessed, you run /root/bin/fws - you can change it to
    > whatever you want of course, also, the output is redirected to
    > /root/fws-out - if you dont redirect it, it'll kill your ssh session -
    > although it won't stop it loading the other rules

    Thanks :)

    My changed rule file looks like this:

    ----start file ipfw.rules-----------
    #!/bin/sh
    /sbin/ipfw -q -f flush

    cmd="/sbin/ipfw add " # build rule prefix
    ks="keep-state" # just too lazy to key this each time

    /sbin/ipfw add 1 allow tcp from any to any established
    #####################################

    $cmd 00500 check-state
    $cmd 00502 deny all from any to any frag
    #$cmd 00501 deny tcp from any to any established

    $cmd 00602 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks
    $cmd 00603 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks
    $cmd 00604 allow all from 20x.xx.xx.xx/32 to any out via ed0 $ks

    $cmd 00609 allow tcp from 22x.xx.0.0/16 to any 22 in via ed0 $ks
    $cmd 00610 allow icmp from 22x.xx.0.0/16 to any in via ed0 $ks

    $cmd 00611 allow tcp from 220.xx.0.0/16 to any 22 in via ed0 $ks
    $cmd 00612 allow icmp from 220.xx.0.0/16 to any in via ed0 $ks

    $cmd 02500 divert 8000 log tcp from any to any 80
    $cmd 02501 allow tcp from any to any 80 in via ed0 $ks

    #####################################
    /sbin/ipfw delete 1
    ----end file ipfw.rules-----------

    Even if I run this script as it is (without running from within another
    script and redirecting), I don't get disconnected.

    Thanks again,

    - Siddhartha

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Neo-Vortex: "Re: IPFW disconnections and resets"