Date: Sun, 15 Oct 2000 13:09:32 -0600 From: Wes Peters <wes@softweyr.com> To: Rolf Edwards <redwards@meccamediagroup.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Dynamic rc.firewall Message-ID: <39EA00EC.3EEE088D@softweyr.com> References: <5.0.0.25.2.20001013032255.00a8ee40@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
Rolf Edwards wrote: > > How can I have rc.firewall automatically pull in ip, netmask and network > numbers from the currently configured interfaces. > > Lets say I was to supply 'xl0' and have it extract the information from > ifconfig. I started a perl program, but I don't have enough documentation > available at the moment to actually extract the data from what is returned. > > Has anyone tried this? I would assume that if one was using DHCP, they > would want this type of feature? I have just recently done this for ipfilter and ipnat, for static, dhcp, or pppoe network configurations. Here's what you do: Rename the configuration files that have to be edited to {config}.in. Write a (sed?) script that will edit each of these into the proper {config} file, given shell variables that define what the various settings are. This script should source a dynamically-created file that contains the network settings. When the network configuration changes -- including startup -- call the script you wrote above. In our case, we use ipfilter and ipnat rules like: block in on @EXTERN_INTERFACE@ from @INTERN_NETWORK@/@INTERN_CIDR@ to any We have two separate files, one for the internal and one for the external interface, that look like: /etc/extern.config: extern_interface=dc0 extern_ipaddress=122.222.122.12 extern_network=122.222.122.0 extern_netmask=255.255.255.0 extern_cidr=24 (We use a few simple little utility programs like networkof and mask2cidr to generate some of these settings from ones we have, ipaddress and netmask.) Our /etc/configure.network script edits all of the {config}.in files to their corresponding {config} files and re-starts any related network daemons, reloads the ipfilter and ipnat rules, etc. For DHCP, the dhclient-exit-hooks script creates the extern.config file and then runs the configure.network script. For ppp, this happens in the ppp linkup script (we use user-mode ppp to get pppoe support). Configurations you may want to look at include: firewall/nat named - switch to forward-first mode if you get an upstream DNS server time services - sync clock to external time source. We use chrony for this, as it can switch back and forth between using an external time source and running standalone, and is simple to configure. The hard part comes in making this configuration so you can switch back and forth between different configuration types - static, dhcp, pppoe - without breaking anything. Oh, and driving it all from a web interface, that takes a bit of doing also. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39EA00EC.3EEE088D>