# Temporarily disable ipfw during rule reload



## usdmatt (Mar 16, 2009)

Hello,

I have a firewall running ipfw with a reload script that looks something like this -

#start
ipfw -f flush
...lots of various allow commands...
...a few catch-all deny log commands...
#end

When running the script I get cut off from the server, although ending the command with a '&' causes it to continue running which is fine, but it also cuts off a lot of customers - mainly vpn & rdp connections.

I've been looking around and i've found the following commands which may temporarily disable the firewall during reload to stop this happening. -

1) ipfw disable/enable firewall
2) sysctl net.inet.ip.fw=0/1

I've not found any definative information on the net about this so I'd like to know the following -

If I place a entry at the top of the script to run one of the above commands, and its opposite at the bottom, will it achieve what I want? I'm just worried that disabling the firewall at the top of the script will affect the loading of the rules, or cause some other issue.


----------



## usdmatt (Mar 16, 2009)

Just  realised i've got the sysctl name slightly wrong.
Should be 'net.inet.ip.fw.enable'

I've also noticed some other people add an 'allow all' rule at the top of the script, and remove it at the bottom, but apparently this can still cause a disconnect every now and then?


----------



## vivek (Mar 16, 2009)

I think you can also use rc.d script:

```
/etc/rc.d/ipfw stop
/etc/rc.d/ipfw start
/etc/rc.d/ipfw restart
```


----------



## usdmatt (Mar 16, 2009)

Hi Vivek,

Thanks for the reply.

Looking at the rc script, it is possible to stop the firewall, load new rules and restart.


----------



## vivek (Mar 16, 2009)

restart option is for that purpose only.


----------



## trev (Mar 17, 2009)

Restarting the firewall is likely to cut customers off because of state rules getting hosed.

Would it not be better to simply add/delete rules which does not require any enabling/disabling/restarting? (I'm assuming you're not making wholesale changes and that your rules have sufficient number gaps.)


----------



## bobveznat (Mar 26, 2009)

If you compile the kernel with IPFIREWALL_DEFAULT_TO_ACCEPT then the ipfw flush won't disconnect you. At least this is the only difference I see on the two servers I have that have differing behavior  Your server's role and location within a network may make this impractical.

Another option is to use ipfw sets. You can put your special ssh rule into set 31 (a special number, see ipfw(8)). When the ipfw flush is done it flushes everything except 31. I remember trying this a long time ago but eventually gave up. The problem I was having was that every time I reloaded I added yet another "allow ssh" rule to the set. If you wrote rc.firewall better than I did this would work fine.


----------

