. mombe.org
home of the mad cow
  Not A Blog
 

Monday, November 07, 2005

ipfw(8) diff

One of the problems with stateful firewall rules is that reloading the entire ruleset usually results in a loss of state — in other words, that established connections get dropped every time the ruleset is changed. This is okay on my little workstation PC, but gets a bit irritating when you've got a firewall serving 6000+ users that does it.

The normal work around this is to simply apply the changes. In other words, delete rules that are no longer used and add new or changed ones. That way the only things affected by the change are those things that the change is meant to effect. Doing this by hand is usually easily enough, particularly as firewall rules doen't change often in our environment.

This got me thinking this morning, however. I want to be able to apply firewall rules in a diff kind of fashion. i.e. I want to pass my ruleset to something, have it calculate what needs to be done (and perhaps just get on with it ;-). In other words, I want to automate my manual diff.

ipfw(8) cleverly comes with a -n option to test rules (this is useful++ and should be used on every change anyway ;-). One of the things that -n does is parse the rules and then spit them out to stdout in a post-processed form. This form is identical to the one produced by ipfw list. So if we take the output of ipfw -n and ipfw list and we diff them, we should get (most of) the changes.

Enter a little shell script to do this for me. It's not by any means complete (it only really handles add and delete lines) but it should work for simple installations. It was an idea. YMMV and all that. Somebody's probably already done this anyway :)

posted by guy at: 15:40 SAST | path: /systems | permanent link

Bloxsom Powered

© 2002-2005, webmaster@mombe.org
 
 
RSS Valid XHTML 1.0!

Creative Commons License