From owner-freebsd-questions Tue Dec 12 19:34:13 2000 From owner-freebsd-questions@FreeBSD.ORG Tue Dec 12 19:34:11 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-56-157.knology.net [24.214.56.157]) by hub.freebsd.org (Postfix) with ESMTP id 88E2F37B400 for ; Tue, 12 Dec 2000 19:34:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.1/8.11.1) with ESMTP id eBD3Xm402910; Tue, 12 Dec 2000 21:33:48 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200012130333.eBD3Xm402910@grumpy.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: "Mike Gruver" Cc: freebsd-questions@FreeBSD.ORG, brownicm@prokyon.com From: David Kelly Subject: Re: How to use simple firewall with DHCP? In-reply-to: Message from "Mike Gruver" of "Tue, 12 Dec 2000 20:57:57 EST." <001301c064a8$1eb2ede0$0200a8c0@digitalavalanche.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Dec 2000 21:33:27 -0600 Sender: dkelly@grumpy.dyndns.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Mike Gruver" writes: > Thanks for responding to my question. Sorry about the html encoding. I > just upgraded my email client and it changed my defaults. Got it fixed. > > Thank you for the information about the /var/db/dhclient.leases. I think > that is the key. Now, If anyone knows how to parse this file and use it as > input to the values I can uses it as input to the rc.firewall. > > I did as much research as I could on dhclient and there did not appear to be > a query form of the command to return the network, ip, or subnet mask. > These are the precise values I need for the rc.firewall. > > It looks like the values in dhclient.leases are encapsulated in brackets {} > and the modifier "lease". > > As you might guess, I am not a big shell script afficianado. Any ideas? The port of ddup (a client for updating DNS data at http://www.DynDNS.org/) uses a variation of this to pluck the IP address off the interface: /sbin/ifconfig fxp0 | grep ask | awk '{print $2}' Thought "ask" was sorta funny, but its looking for the line containing "netmASK". So in /etc/rc.firewall you could: nic="fxp0" ip=$(/sbin/ifconfig $nic | grep ask | awk '{print $2}') Then all you have to do is "sh /etc/rc.firewall" whenever dhclient changes your IP address. To trap for changes by dhclient I think the following will work (untried) if placed in /etc/dhclient-exit-hooks. Not sure if the file needs to be chmod +x'ed. Shouldn't hurt if you keep it rwx'able by root only. I *think* this will work but haven't placed it in production on my own machine. Yet. Remove the two "echo"'s I've used to disarm commands for debugging. Comment out the ddup line if you are not using it. #!/bin/sh case ${reason} in # these look to be the only 3 we have to test for: BOUND|REBIND|RENEW) # May or may not be a new address. # Some have $old_ip_address in the working variables # use :-number to force behavior if variables are missing if [ ${old_ip_address:-0} != ${new_ip_address:-1} ] then echo sh /etc/rc.firewall # don't bother DynDNS if nothing changed # if one is using DynDNS (replace host.domain.ext): echo /usr/local/sbin/ddup --host host.domain.ext fi ;; esac -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message