Date: Tue, 12 Dec 2000 21:33:27 -0600 From: David Kelly <dkelly@hiwaay.net> To: "Mike Gruver" <mgruver@carolina.rr.com> Cc: freebsd-questions@FreeBSD.ORG, brownicm@prokyon.com Subject: Re: How to use simple firewall with DHCP? Message-ID: <200012130333.eBD3Xm402910@grumpy.dyndns.org> In-Reply-To: Message from "Mike Gruver" <mgruver@carolina.rr.com> of "Tue, 12 Dec 2000 20:57:57 EST." <001301c064a8$1eb2ede0$0200a8c0@digitalavalanche.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Mike Gruver" writes: > Thanks for responding to my question. Sorry about the html encoding. I > just upgraded my email client and it changed my defaults. Got it fixed. > > Thank you for the information about the /var/db/dhclient.leases. I think > that is the key. Now, If anyone knows how to parse this file and use it as > input to the values I can uses it as input to the rc.firewall. > > I did as much research as I could on dhclient and there did not appear to be > a query form of the command to return the network, ip, or subnet mask. > These are the precise values I need for the rc.firewall. > > It looks like the values in dhclient.leases are encapsulated in brackets {} > and the modifier "lease". > > As you might guess, I am not a big shell script afficianado. Any ideas? The port of ddup (a client for updating DNS data at http://www.DynDNS.org/) uses a variation of this to pluck the IP address off the interface: /sbin/ifconfig fxp0 | grep ask | awk '{print $2}' Thought "ask" was sorta funny, but its looking for the line containing "netmASK". So in /etc/rc.firewall you could: nic="fxp0" ip=$(/sbin/ifconfig $nic | grep ask | awk '{print $2}') Then all you have to do is "sh /etc/rc.firewall" whenever dhclient changes your IP address. To trap for changes by dhclient I think the following will work (untried) if placed in /etc/dhclient-exit-hooks. Not sure if the file needs to be chmod +x'ed. Shouldn't hurt if you keep it rwx'able by root only. I *think* this will work but haven't placed it in production on my own machine. Yet. Remove the two "echo"'s I've used to disarm commands for debugging. Comment out the ddup line if you are not using it. #!/bin/sh case ${reason} in # these look to be the only 3 we have to test for: BOUND|REBIND|RENEW) # May or may not be a new address. # Some have $old_ip_address in the working variables # use :-number to force behavior if variables are missing if [ ${old_ip_address:-0} != ${new_ip_address:-1} ] then echo sh /etc/rc.firewall # don't bother DynDNS if nothing changed # if one is using DynDNS (replace host.domain.ext): echo /usr/local/sbin/ddup --host host.domain.ext fi ;; esac -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012130333.eBD3Xm402910>