Date: Sun, 3 Mar 2002 13:36:08 -0600 From: "Dean E. weimer" <dweimer@happydays.dyndns.org> To: <security@FreeBSD.ORG> Subject: RE: ipfw and DHCP Message-ID: <000001c1c2ea$ab232eb0$0b62f00a@Happydays.Local> In-Reply-To: <20020303131353.H98814-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris BeHanna
Sent: Sunday, March 03, 2002 12:18 PM
To: security@FreeBSD.ORG
Subject: Re: ipfw and DHCP
On Fri, 1 Mar 2002, David Wolfskill wrote:
> >From: George.Giles@mcmail.vanderbilt.edu
> >Date: Fri, 1 Mar 2002 07:52:26 -0600
>
> >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall
script
> >?
>
I saw many diferent scripting solutions for this one, but one thing I
haven't seen, since oif seems to be defined as a variable, is it a NIC, or a
ppp interface (tun0)??
If your external interface is through ppp there is a simple way to rebuild
the rules when your IP changes, simply use the ppp.linkup file. When I used
ipfw I had the following in my ppp.linkup file.
!bg /etc/firewall/ipfwrules
Then I had the following at the begining of my ipfwrules script.
# My Internet IP Address Defined
numips=`ifconfig tun0 | grep -c "inet "`
lastnum=$(($numips+2))
myip=`ifconfig tun0 | grep -n "inet " | grep "$lastnum:" | awk '{print
$3}'`
The script then proceded to flush the existing rule set, and load the new
ones with th correct IP.
> >From "man ipfw":
>
> src and dst:
> any | me | [not] <address/mask> [ports]
>
> Specifying any makes the rule match any IP address.
>
> Specifying me makes the rule match any IP address configured
on
> an interface in the system.
>
> "me" can be somewhat expensive, however. For those rules for
>which I want to use my address instead of my external interface, I do
>this near the top of /etc/rc.firewall:
>
> oif=dc0
> oip="`ifconfig ${oif} inet | grep inet | awk '{ print $2 }'`"
> onet="`echo ${oip} | sed -E 's/\.[0-9]{1,3}$/.0/'`"
>
>Note that this only works if your ISP (like mine) will continue to
>give you the same address over and over as long as you're powered up
>at lease renewal time. If that's not true, you're stuck with "me",
>unless you can rewrite your rules to use only your external interface.
>
>--
>Chris BeHanna
>Software Engineer (Remove "bogus" before responding.)
>behanna@bogus.zbzoom.net
>I was raised by a pack of wild corn dogs.
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c1c2ea$ab232eb0$0b62f00a>