Date: Wed, 22 May 2002 17:28:37 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: John Angelmo <john@veidit.net> Cc: net@FreeBSD.ORG Subject: Re: "dynamic" ipfw Message-ID: <20020522172837.A8894@blossom.cjclark.org> In-Reply-To: <3CE934D8.9010302@veidit.net>; from john@veidit.net on Mon, May 20, 2002 at 07:39:36PM %2B0200 References: <3CE934D8.9010302@veidit.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote:
> Hello
>
> I have a small problem with IPFW
>
> How can I handle adding and removing rules based on IP/MAC per user?
Per user? You mean with 'uid' options?
> I can add a rule for a specific IP/MAC without the need to flush but can
> I remove it in the same way?
It kind of sounds like you want to use 'keep-state' rules? But I'm
confused about the "user" stuff.
> now lets say I have a user that only needs access to it's mailserver
> mail.user.com with pop3 and smtp
> then the rule for pop3 would be something like
> add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?)
Well, support for MAC addresses in ipfw(8) only exists in -CURRENT
right now. But I think you want,
add pass tcp from me to mail.user.com 25,110 keep-state
Which will pass the return traffic.
> Now mail.user.com uses runrobin so the IP changes from request to
> request but dosn't the IPFW resolve the IP when its added to the rules,
> how can this be solved for the user?
You can load all of the IP addresses at start-up? There really is no
way to deal with this within ipfw(8) itself. Rules for hostnames whose
IP address changes is not a problem that can really be efficiently
solved in a general way.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020522172837.A8894>