Monday, November 07, 2005
One of the problems with stateful firewall rules is that reloading the
entire ruleset usually results in a loss of state — in other words, that
established connections get dropped every time the ruleset is changed. This
is okay on my little workstation PC, but gets a bit irritating when you've
got a firewall serving 6000+ users that does it.
The normal work around this is to simply apply the changes. In other words,
delete rules that are no longer used and add new or changed ones. That way
the only things affected by the change are those things that the change is
meant to effect. Doing this by hand is usually easily enough, particularly
as firewall rules doen't change often in our environment.
This got me thinking this morning, however. I want to be able to apply
firewall rules in a diff kind of fashion. i.e. I want to pass my ruleset to
something, have it calculate what needs to be done (and perhaps just get on
with it ;-). In other words, I want to automate my manual diff.
ipfw(8) cleverly comes with a -n option to test rules (this is
useful++ and should be used on every change anyway ;-). One of the things
that -n does is parse the rules and then spit them out to stdout in
a post-processed form. This form is identical to the one produced by
ipfw list. So if we take the output of ipfw -n and
ipfw list and we diff them, we should get (most of) the changes.
Enter a little shell
posted by guy at: 15:40 SAST |
path: /systems |
script to do this for me. It's not by any means complete (it only
really handles add and delete lines) but it should work
for simple installations. It was an idea. YMMV and all that. Somebody's
probably already done this anyway :)