From owner-freebsd-net@FreeBSD.ORG Mon Mar 10 20:41:57 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A73D8678; Mon, 10 Mar 2014 20:41:57 +0000 (UTC) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 608DCCAF; Mon, 10 Mar 2014 20:41:57 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id wn1so7599031obc.2 for ; Mon, 10 Mar 2014 13:41:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kek6YqZDBVV8rjNj161Q9Wvt7LASK9PrsLB3C1LjmcY=; b=lF7XKY8ec4CTow8/90mPP5u48pYJ5+9z9T7/BSpQsuJRLlIwga+NZPjb79GzwTpg8+ BG+gfTP5cRC4QjE+VwX0XMUxpcu0PDazvB8B2kYNl+yZNvUNS//cAbI8EV74ImnncHe4 NUWUg7a13CBmCCaGjCJw8/V++M3K0SJiOrQzTyzM7I1ZD4Tl1IxGJFpAvQ35ugwEZYpI hPB4VBQd0lT0ehTRYpmjiljEOj+N0tAz3eU0F42EbrKOY5n+Ogdr+cOzdavdProKToK7 P2fuCLq66MxX5txEXZEKFLikEDozY/8V3uOY0gW0mjJsWfkyjDiHoz9n8VDxKfZN9DuL /hJw== MIME-Version: 1.0 X-Received: by 10.182.18.102 with SMTP id v6mr2112157obd.71.1394484116725; Mon, 10 Mar 2014 13:41:56 -0700 (PDT) Received: by 10.182.76.201 with HTTP; Mon, 10 Mar 2014 13:41:56 -0700 (PDT) In-Reply-To: <71CCF277-8BF7-4C3B-9F9E-2095EA4CC060@dataix.net> References: <20140309231829.GG32089@funkthat.com> <9C40270E-18E0-4993-B7C5-BD8B5A24C95D@dataix.net> <71CCF277-8BF7-4C3B-9F9E-2095EA4CC060@dataix.net> Date: Mon, 10 Mar 2014 16:41:56 -0400 Message-ID: Subject: Re: Using pf.conf with public access points. From: Joe Nosay To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: =?ISO-8859-1?Q?Ermal_Lu=E7i?= , "freebsd-net@freebsd.org" , John-Mark Gurney X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2014 20:41:57 -0000 On Mon, Mar 10, 2014 at 2:56 PM, Jason Hellenthal w= rote: > I nearly forgot all about that feature thank you for the reminder. > > > -- > Jason Hellenthal > Voice: 95.30.17.6/616 > JJH48-ARIN > > On Mar 10, 2014, at 10:20, Ermal Lu=E7i wrote: > > Usually pf(4) does support having dynamic ips inside its ruleset. > For example just putting the interface name as address or putting $iface:= 0 > for first address etc... > > Take a look an man page of pf.conf and search for the string 'Interface > names and interface group names can' > > > On Sun, Mar 9, 2014 at 11:27 PM, Jason Hellenthal wrote: > >> You'll want to not use up addresses in your pf.conf >> >> Block on default and then open up by definition of ports instead. Forget >> the whole IPAddr thing and treat this as a roaming client firewall. >> >> >> -- >> Jason Hellenthal >> Voice: 95.30.17.6/616 >> JJH48-ARIN >> >> > On Mar 9, 2014, at 19:18, John-Mark Gurney wrote: >> > >> > Joe Nosay wrote this message on Sun, Mar 09, 2014 at 15:36 -0400: >> >> 2. How do I compensate for the use of public access points when the I= P >> >> addresses will always be different? >> > >> > it doesn't appear that pf has this ability, but it looks like ipfw >> > has this, from ipfw(8): >> > me matches any IP address configured on an interface >> in the >> > system. >> > >> > So, maybe switching to ipfw might be an option.. >> > >> > -- >> > John-Mark Gurney Voice: +1 415 225 5579 >> > >> > "All that I will do, has been done, All that I have, has not." >> > _______________________________________________ >> > freebsd-net@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net >> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > > > -- > Ermal > > Has anyone thought about putting themselves in an environment similar to mine- not everything- when it comes to networking? You would have to set everything up with the following parameters: 1. Because you are at more than one place, you cannot setup wlanX or the wlandev in rc.conf. They must always be created after booting and logging in. 2. Dhclient cannot be automatic because a public access area may have more than one available bssid for connecting. 3. Since each public access will have different firewalls, streaming and web services may not be able to be ran. 4. A script would probably work better than static settings in this case.