In <list-7160221@2rosenthals.com>, on 05/14/23
    at 10:04 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:


Hi Massimo,

but anyway doing this kind of tests on a production server is an issue
since i've to do it late in the night

I understand.

and i've another problem too (this one since years ago)
reloading the rules don't show the issue
you have to restart the fw
if i restart the fw injoy do not work anymore even with a working rules
set all packets ends into SYN_SENT state and i've to reboot the server
(setboot /b)

As with your "large ruleset" problem, we have never encountered this one
either.  Dan runs ijfw on 6 or 7 OS/2 instances with differing application
mixes.  The ijfw security levels vary. Most run 5 or 6, which is a fair
set of rules and we also have a number of Observe rules to keep the
annoying password guesses away.

I can't recall a valid set of rules failing to reload either when using
the GUI or with the sync command.

Every now and then ijfw constructs a bogus blacklist rule which stops all
packet transfers.  However, since this is a known issue, it does not take
us long to think to delete the blacklist file and sync the firewall.  This
does not occur often.  I dimly recall the last occurance was something
like 6 months ago.

When you have more data to review on this issue, let us know.

Steven