[Fwbuilder-discussion] fwbuilder, pf, and cleared state
Brought to you by:
mikehorn
Menu
▾
▴
[Fwbuilder-discussion] fwbuilder, pf, and cleared state
|
From: Dustin L. <dus...@gm...> - 2004-11-12 00:09:44
|
Hi everybody, I'm fairly new to the list and to fwbuilder. My company moved from a proprietery firewall to an OpenBSD/pf machine and I've been spending the last couple days taking it live and tuning it up. It's doing NAT for several machines on an internal private network, and there are several webservers in a clustered/load balanced environment on the dmz. I'm running the win32 gui to manage the firewall. So far almost everything is working perfectly. I do have one question though. When I compile the policy and install it on the firewall, the following commands are run: pfctl -d pfctl -F all pfctl -f /etc/newpffirewall.conf pfctl -e These commands are taken from the last few lines of the newpffirewall.fw file that is automatically run when fwbuilder reloads the policy. The command pfctl -F all flushes the state table along with all the rules, but this terminates the connection for anybody connected to the company website, along with anybody internally connected to outside services. Basically, every connection is reset when the state table is flushed. We won't be adding/changing rules and reloading the policy very often, but we do it often enough that this kind of resetting could become troublesome. What I'd like to have happen is something akin to this: pfctl -d pfctl -F nat pfctl -F rules pfctl -f /etc/newpffirewall.conf pfctl -e I'm no pf expert, but from what I understand this would allow me to add new nat and filter rules without flushing the state table. As far as I can see, when I run these commands manually on the command line, the state table is maintained, while the rules are flushed and reloaded. Now to my question: is there any way to make this the default behavior of fwbuilder? I believe the module creating the newpffirewall.fw file is fwb_pf.exe, but I don't see the win32 source code for this module anywhere on the fwbuilder website. Can anyone point me in the right direction here? Has anyone else accomplished what I'm trying to do, and are there any pf experts out there that can poke holes in my theory? Any help anyone could provide would be appreciated. Best regards, Dustin Lovell |