From owner-freebsd-questions Fri Dec 28 8:19:46 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id 283EB37B425 for ; Fri, 28 Dec 2001 08:19:42 -0800 (PST) Received: from barbish ([63.70.155.113]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Fri, 28 Dec 2001 11:21:56 -0500 From: "Joe & Fhe Barbish" To: "Simon 'corecode' Schubert" Cc: "FBSD Questions" Subject: RE: IPFW rc.firewall Date: Fri, 28 Dec 2001 11:19:38 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20011228120842.0f3205df.corecode@corecode.ath.cx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I reviewed your tutorial. I see that it's a copy of the rc.firewall file with the symbolic variables for the "simple" network filled in for your environment. You have the second statement under the comments #stop spoofing commented out because in a user ppp dialout to the ISP you are getting dynamic IP's and this rule needs {onet) & {omask) a static IP value, which you don't have because it always changes each time you dial your ISP. # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} I am in this same situation. I think there is a way to get the info needed for {onet} & {omask}. The rc.conf file controls the startup sequence of FBSD functions. If user ppp statements come before the IPFW statements in rc.conf then FBSD will know the dynamic IP address before IPFW starts. As you can see the rc.firewall script can access system symbolic variables as shown by case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then Here natd_enable and natd_interface are system symbolic variables. There are also system symbolic variables for the {onet} & {omask} values resulting from user ppp dialin to the ISP. I need help determining what these system symbolic variables names are. Once we know there names, all we have to do is substitute there names for {onet} & {omask} and we have complete spoofing protection that correctly changes every time we dialout to the ISP. Can you help me in this? Thanks Joe -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Simon 'corecode' Schubert Sent: Friday, December 28, 2001 6:09 AM To: Joe & Fhe Barbish Cc: questions@FreeBSD.ORG Subject: Re: IPFW rc.firewall On Thu, 27 Dec 2001 19:50:46 -0500 "Joe & Fhe Barbish" wrote: > In rc.firewall one can configure the simple type of firewall rule set. > It requests you to enter your settings for > "your outside network, mask, ip". This looks like it wants a public > static ip address from ISP. I logon to my ISP using user ppp and get > a dynamic IP address that is different every time. > > What value am I to enter in these fields so it knows it's dynamic ip > address? > you can look at my custom firewall set at http://corecode.ath.cx/tutorials/ cheerz corecode -- /"\ http://corecode.ath.cx/ \ / \ ASCII Ribbon Campaign / \ Against HTML Mail and News To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message