From owner-freebsd-questions  Sun Sep  2 17:16: 1 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 09C1037B401
	for <freebsd-questions@FreeBSD.ORG>; Sun,  2 Sep 2001 17:15:53 -0700 (PDT)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f830EBN03186;
	Sun, 2 Sep 2001 21:14:13 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Sun, 2 Sep 2001 21:14:11 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: =?iso-8859-1?q?Keith=20Spencer?= <bsd2000au@yahoo.com.au>
Cc: fbsd <freebsd-questions@FreeBSD.ORG>
Subject: Re: ipfilter firewall...how to?
In-Reply-To: <20010902225212.29432.qmail@web12006.mail.yahoo.com>
Message-ID: <20010902205845.Q506-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 3 Sep 2001, Keith Spencer wrote:

> Hi all,
> I have followed a tute on building a solid firewall.
> (Schlacter's) It was a great tute but too specific to
> a machine. dhcp etc. How can i get some quick and
> dirty info on how to hack the conf files (rules) to
> get the darn thing to work when I don't know the DHCP
> server ip and/or using a static ip as well as other
> stuff

What do you need? Allow DHCP through the firewall? Configure the public
interface of the firewall using DHCP?

For the later you need to add the following rules to your ipfilter conf file:

pass out quick on <if> proto udp from 0/32 port = 68 to any port = 67
pass in quick on <if> proto udp from any port = 68 to any port = 67

To use a dynamic IP, use 0/32 which means "whatever IP the interface has"
For example, the following rule allows outgoing ssh:

pass out quick on tun0 proto tcp from 0/32 to any port = 22 flags S keep state


			Fer


> Thanks Keith
>
> http://travel.yahoo.com.au - Yahoo! Travel
> - Got Itchy feet? Get inspired!
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message