From owner-freebsd-net  Wed May 22 17:28:43 2002
Delivered-To: freebsd-net@freebsd.org
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by hub.freebsd.org (Postfix) with ESMTP id C432137B409
	for <net@FreeBSD.ORG>; Wed, 22 May 2002 17:28:38 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020523002838.VCZI11426.rwcrmhc51.attbi.com@blossom.cjclark.org>;
          Thu, 23 May 2002 00:28:38 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g4N0Sbi09020;
	Wed, 22 May 2002 17:28:37 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 22 May 2002 17:28:37 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: John Angelmo <john@veidit.net>
Cc: net@FreeBSD.ORG
Subject: Re: "dynamic" ipfw
Message-ID: <20020522172837.A8894@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@FreeBSD.ORG>
References: <3CE934D8.9010302@veidit.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3CE934D8.9010302@veidit.net>; from john@veidit.net on Mon, May 20, 2002 at 07:39:36PM +0200
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote:
> Hello
> 
> I have a small problem with IPFW
> 
> How can I handle adding and removing rules based on IP/MAC per user?

Per user? You mean with 'uid' options?

> I can add a rule for a specific IP/MAC without the need to flush but can 
> I remove it in the same way?

It kind of sounds like you want to use 'keep-state' rules? But I'm
confused about the "user" stuff.

> now lets say I have a user that only needs access to it's mailserver 
> mail.user.com with pop3 and smtp
> then the rule for pop3 would be something like
> add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?)

Well, support for MAC addresses in ipfw(8) only exists in -CURRENT
right now. But I think you want,

  add pass tcp from me to mail.user.com 25,110 keep-state

Which will pass the return traffic.

> Now mail.user.com uses runrobin so the IP changes from request to 
> request but dosn't the IPFW resolve the IP when its added to the rules, 
> how can this be solved for the user?

You can load all of the IP addresses at start-up? There really is no
way to deal with this within ipfw(8) itself. Rules for hostnames whose
IP address changes is not a problem that can really be efficiently
solved in a general way.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message