Date: Wed, 15 Nov 2000 19:22:59 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001115192259.Q27042@speedy.gsinet> In-Reply-To: <20001114211934.B888@grok>; from sreid@sea-to-sky.net on Tue, Nov 14, 2000 at 09:19:34PM -0800 References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 14, 2000 at 21:19 -0800, Steve Reid wrote: > On Wed, Nov 15, 2000 at 12:05:28AM -0000, Nuno Teixeira wrote: > > > > [ ... dynamic IP ... ] > > This is what I've whipped up for my ipfilter config: > > http://sea-to-sky.net/~sreid/ipfinit > A simple little sh script that takes an interface name (fxp0 in > my case, tun0 in yours) as an argument and extracts the IP > address information from ifconfig, then performs the > appropriate substitutions on ipf.cfg and feeds the results to > ipf. I haven't looked at your doc (yet), but I suddenly felt like replying. :) ipf already has a feature like ppp's MYADDR -- specify 0.0.0.0/32 as the IP and issue "ipf -y" when interface configuration changes (like in ppp.linkup or in the appropriate dhcp client hooks). And BTW: You do bind your rules to interfaces ("... on $IF") already, don't you? If not, I wouldn't like to ignore where certain packets come in from or want to leave the machine at ... If it's just for variable substitution or conditional "compilation", you might find my patch described in http://www.freebsd.org/cgi/query-pr.cgi?pr=21989 of interest. > To use the above, add "options IPFILTER" to your kernel config. And one better adds IPFILTER_LOG as well as IPFILTER_DEFAULT_BLOCK to the kernel config before getting used to live without it. :) And since JKH was so kind to MFC the PR 20202 patch, ipf would even come up at boot time beginning with the 4.2-RELEASE if the admin wants it to. There's nothing more to it than throwing a little lever in rc.conf (a real life example is given in "man 5 rc.conf"). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001115192259.Q27042>