Date: Wed, 16 May 2001 12:09:11 -0400 From: "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: risks of ip-forwarding, without ipf/ipfw Message-ID: <3B02A627.533CD030@lmc.ericsson.se> References: <20010516155615.40395.qmail@web14503.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There's a few issues with that here...
You can run natd with -dynamic:
-dynamic If the -n or -interface option is used, natd will
monitor the
routing socket for alterations to the interface
passed. If
the interface's IP number is changed, natd will
dynamically
alter its concept of the alias address.
For the matching rules, you can use the "me" keyword that:
src and dst:
any | me | [not] <address/mask> [ports]
Specifying me makes the rule match any IP number configured
on an
interface in the system. This is a computationally
semi-expen
sive check which should be used with care.
So yes, it's smart.
A.
Jano Lukac wrote:
>
> If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun
> ipf/ipfw/natd everytime? Or is freebsd smart about this (unlike the unnamed
> arctic semi-counterpart which uses ipchains/iptables)?
--
La sémantique est la gravité de l'abstraction.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B02A627.533CD030>