Date: Sun, 15 Oct 2000 13:09:32 -0600 From: Wes Peters <wes@softweyr.com> To: Rolf Edwards <redwards@meccamediagroup.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Dynamic rc.firewall Message-ID: <39EA00EC.3EEE088D@softweyr.com> References: <5.0.0.25.2.20001013032255.00a8ee40@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
Rolf Edwards wrote:
>
> How can I have rc.firewall automatically pull in ip, netmask and network
> numbers from the currently configured interfaces.
>
> Lets say I was to supply 'xl0' and have it extract the information from
> ifconfig. I started a perl program, but I don't have enough documentation
> available at the moment to actually extract the data from what is returned.
>
> Has anyone tried this? I would assume that if one was using DHCP, they
> would want this type of feature?
I have just recently done this for ipfilter and ipnat, for static, dhcp, or
pppoe network configurations. Here's what you do:
Rename the configuration files that have to be edited to {config}.in.
Write a (sed?) script that will edit each of these into the proper {config}
file, given shell variables that define what the various settings are. This
script should source a dynamically-created file that contains the network
settings.
When the network configuration changes -- including startup -- call the
script you wrote above.
In our case, we use ipfilter and ipnat rules like:
block in on @EXTERN_INTERFACE@ from @INTERN_NETWORK@/@INTERN_CIDR@ to any
We have two separate files, one for the internal and one for the external
interface, that look like:
/etc/extern.config:
extern_interface=dc0
extern_ipaddress=122.222.122.12
extern_network=122.222.122.0
extern_netmask=255.255.255.0
extern_cidr=24
(We use a few simple little utility programs like networkof and mask2cidr to
generate some of these settings from ones we have, ipaddress and netmask.)
Our /etc/configure.network script edits all of the {config}.in files to their
corresponding {config} files and re-starts any related network daemons, reloads
the ipfilter and ipnat rules, etc.
For DHCP, the dhclient-exit-hooks script creates the extern.config file and
then runs the configure.network script. For ppp, this happens in the ppp
linkup script (we use user-mode ppp to get pppoe support).
Configurations you may want to look at include:
firewall/nat
named - switch to forward-first mode if you get an upstream DNS server
time services - sync clock to external time source. We use chrony for
this, as it can switch back and forth between using an external time
source and running standalone, and is simple to configure.
The hard part comes in making this configuration so you can switch back and
forth between different configuration types - static, dhcp, pppoe - without
breaking anything. Oh, and driving it all from a web interface, that takes
a bit of doing also. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39EA00EC.3EEE088D>