From owner-freebsd-current@FreeBSD.ORG Fri Jun 13 06:32:42 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E77637B401 for ; Fri, 13 Jun 2003 06:32:42 -0700 (PDT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AB0643F3F for ; Fri, 13 Jun 2003 06:32:41 -0700 (PDT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.9/8.12.9) with ESMTP id h5DDWfab007375; Fri, 13 Jun 2003 06:32:41 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.9/8.12.9/Submit) id h5DDWecM007374; Fri, 13 Jun 2003 06:32:40 -0700 (PDT) Date: Fri, 13 Jun 2003 06:32:40 -0700 (PDT) From: David Wolfskill Message-Id: <200306131332.h5DDWecM007374@bunrab.catwhisker.org> To: freebsd-current@freebsd.org, r.s.a.vandomburg@student.utwente.nl In-Reply-To: <200306130918.h5D9Ifi19647@netlx014.civ.utwente.nl> Subject: Re: Support DHCP in rc.firewall by default? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 13:32:42 -0000 >From: "Roderick van Domburg" >To: >Date: Fri, 13 Jun 2003 11:18:45 +0200 >Subject: Support DHCP in rc.firewall by default? >Right now, rc.firewall isn't set up to support DHCP configurations although >it could easily be done so. More or less, depending on one's requirements. >Googling comes up with many references, for >example http://www.freebsddiary.org/firewall.php (section "ipfw with DHCP >etc" at the bottom of the page). >Are there any reasons against having rc.firewall contain such lines? I >reckon it would even come in handy for statically configured users: they'd >only need to specify their network interface(s) once. Well, you might consider submitting a PR with a suggested patch. :-) That said: a while back (around the time that the BayLISA meetings moved to Apple's facility, where they have wireless Internet access available, and the DHCP server provides routable IP addresses), I decided that setting up my laptop to make use of ipfw would be A Good Thing. The approach I used was to have a default configuration that blocked everything but DHCP/BOOTP, then, in /etc/dhclient-exit-hooks, once I know I have received a DHCP lease, invoke a script (with the newly-assigned IP address as one of the arguments). Note that I also had set up dhclient-exit-hooks to determine my hostname (given the IP address) -- if it could, and to try to make use of an NTP server. Whether or not all of that comes very close to anyone else's perceived requirements, I don't know -- but my guess is that it is fairly idiosyncratic, at best. Peace, david -- David H. Wolfskill david@catwhisker.org Based on what I have seen to date, the use of Microsoft products is not consistent with reliability. I recommend FreeBSD for reliable systems.