IPFW: A Stateful Restart

When working with IPFW rules you are well advised to work from the console… However, that frequently doesn't happen. Maybe the system is in another room or another location or we just want to do something “quick”.

As long as you are careful, it's possible to do this without a huge risk. You will get bit eventually of course.

Of course, if the setup in question uses stateful rules, it's quite likely that your session will be disconnected when you reload the rules as the state tables will be dumped. We can prevent that from happening however. It turns out that there is a sysctl that controls that behavior and we can take advantage of it.

ipfw.restart

#!/usr/local/bin/bash
 
# restart ipfw without dropping the stateful rules
 
knob="net.inet.ip.fw.dyn_keep_states"
orig=`sysctl $knob | cut -f 2 -w`
 
echo grab dyn_keep_states value and then set it to 1
sysctl net.inet.ip.fw.dyn_keep_states=1
 
# script used to load the ipfw rules
echo run ipfw.start
nohup /etc/ipfw/ipfw.start > /etc/ipfw/start.out 2>&1
 
echo return dyn_keep_states to its original value
sysctl $knob=$orig