From owner-freebsd-security Wed May 16 9: 9:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id E2FAD37B422 for ; Wed, 16 May 2001 09:09:22 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7att.ericy.com [138.85.92.15]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f4GG9L823151 for ; Wed, 16 May 2001 11:09:21 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f4GG9Ki10775 for ; Wed, 16 May 2001 11:09:20 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f4GG9JG02848 for ; Wed, 16 May 2001 12:09:20 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 16 May 2001 12:09:19 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JQDZQ7S7; Wed, 16 May 2001 12:09:14 -0400 From: "Antoine Beaupre (LMC)" To: freebsd-security@FreeBSD.ORG Message-ID: <3B02A627.533CD030@lmc.ericsson.se> Date: Wed, 16 May 2001 12:09:11 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: risks of ip-forwarding, without ipf/ipfw References: <20010516155615.40395.qmail@web14503.mail.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's a few issues with that here... You can run natd with -dynamic: -dynamic If the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interface's IP number is changed, natd will dynamically alter its concept of the alias address. For the matching rules, you can use the "me" keyword that: src and dst: any | me | [not]
[ports] Specifying me makes the rule match any IP number configured on an interface in the system. This is a computationally semi-expen­ sive check which should be used with care. So yes, it's smart. A. Jano Lukac wrote: > > If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun > ipf/ipfw/natd everytime? Or is freebsd smart about this (unlike the unnamed > arctic semi-counterpart which uses ipchains/iptables)? -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message