Date: Sat, 17 Jun 2000 15:10:05 -0700 (PDT) From: The Clark Family <res03db2@gte.net> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Updating ipfw at dhcp induced ip address change. Message-ID: <Pine.BSF.4.21.0006171503010.38057-100000@orthanc.dsl.gtei.net> In-Reply-To: <20000619003156.A642@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
I had read somewhere, that it was required to "bump" ipfw when an interface's address changes. NATD looks like it has a "dynamic" setting though. If I do have to "bump" ipfw to make sure the rules that reference fxp1 are reset, then I can do that from dhcpd's hook script. (I'm still learning about that.) The plan with squid is to have it act as a "web accelerator" for apache, and as a transparent proxy for the inside machines. I think it'll involve a fairly elaborate divert/ipfw setup. Thanks for the feedback. [RC] On Mon, 19 Jun 2000, Giorgos Keramidas wrote: > On Fri, Jun 16, 2000 at 07:01:24PM -0700, The Clark Family wrote: > > > > My question is; if I write my filter and natd rules to refer to fxp1 > > instead of my dhcp assigned address, will dhcpd bump ipfw for me > > when/if dhcp changes my address. > > Well, yeah it is supposed to work that way. I had been using ipfw with > ppp0 on a dialup connection, and all my rules were either: > > pass ... in recv ppp0 > block ... in recv ppp0 > or > pass ... out xmit ppp0 > block ... out xmit ppp0 > > The same is true, of course, with Darren's ipfilter that I'm using now. > You can still make rules that act on an "interface level" and forget all > about your dynamic IP address. Some of the rule I have now look like: > > # by default block all packets from/to 127.0.0.0/8 > block in proto ip from 127.0.0.0/8 to any > block in proto ip from any to 127.0.0.0/8 > # then let only those that traverse lo0 pass > pass in quick on lo0 proto ip from 127.0.0.0/8 to any > pass in quick on lo0 proto ip from any to 127.0.0.0/8 > > The equivalent in ipfw would look like: > > # pass all packets from/to 127.0.0.0/8 when they traverse lo0 > pass ip from any to 127.0.0.0/8 via lo0 > pass ip from 127.0.0.0/8 to any via lo0 > # deny when they traverse some other interface > deny ip from any to 127.0.0./8 > deny ip from 127.0.0./8 to any > > Filtering with the interface as the basis of the rules makes it easy to > block all the interfaces that are *not* lo0, without knowing their > specific IP addresses, or how many they are :-) > > > I'm also thinking that I'll hang squid and apache on the loopback > > interface at non privileged ports. > > Nice thought, unless you want these visible from the outside, too. > > -- > Giorgos Keramidas, < keramida @ ceid . upatras . gr > > For my public key: finger keramida@ceid.upatras.gr > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006171503010.38057-100000>