From owner-freebsd-net  Fri Jun 15 15:25: 1 2001
Delivered-To: freebsd-net@freebsd.org
Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21])
	by hub.freebsd.org (Postfix) with ESMTP id B992337B403
	for <freebsd-net@freebsd.org>; Fri, 15 Jun 2001 15:24:57 -0700 (PDT)
	(envelope-from shaun.marko@gte.net)
Received: from shaggy.doo.com (dfiatx96-253.dfiatx.dsl.gtei.net [4.3.96.253])
	by smtppop2pub.verizon.net  with SMTP
	; id RAA165719135
	Fri, 15 Jun 2001 17:24:51 -0500 (CDT)
From: Shaun Marko <shaun.marko@gte.net>
Reply-To: shaun.marko@gte.net
To: "Peter Brezny" <peter@sysadmin-inc.com>
Subject: Re: how to find dhclient ip for use in ipfw ruleset?
Date: Fri, 15 Jun 2001 16:53:02 -0500
X-Mailer: KMail [version 1.0.28]
Content-Type: text/plain;
  charset="iso-8859-1"
References: <MFEFLELMIJGKDKPCJHAFIEJDCDAA.peter@sysadmin-inc.com>
In-Reply-To: <MFEFLELMIJGKDKPCJHAFIEJDCDAA.peter@sysadmin-inc.com>
Cc: freebsd-net@freebsd.org
MIME-Version: 1.0
Message-Id: <01061517230003.00821@shaggy.doo.com>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I wrote an /etc/dhclient-exit-hooks script that writes out the interface
configuration to a file and changed /etc/rc.conf to suck in the
configuration file. It looks something like this:

case ${reason} in 
BOUND | REBOOT | RENEW)
    echo "oif=${interface}" > /etc/oif
    echo "oip=${new_ip_address}" >> /etc/oif  
    echo "omask=${new_subnet_mask}" >> /etc/oif
    echo "onet=${new_network_number}" >> /etc/oif
     ;;
esac

Take a look at dhclient-script(8) for details of the optional exit and enter
hooks scripts.

The real trick is reconfiguring the firewall if the interface configuration
changes while you are up and running. If this happens, I suppose you could
also use the exit hooks script to down the outside interface, rewrite the ipfw
rules, and re-up the interface. 

-Shaun

On Fri, 15 Jun 2001, Peter Brezny wrote:
> How can you place a dynamically assigned dhclient ip address into an ipfw
> ruleset?
> 
> I've gotten used to writing rules based on external interface ip addresses
> and network ranges, however, now i'd like to write a ruleset that would work
> to firewall a small network behind a dsl router with a dynamically assigned
> ip.
> 
> I've gotten dhclient working, but i'm stumped as to how to get the
> dynamically assigned ip address into the ruleset.
> 
> TIA
> 
> Peter Brezny
> SysAdmin Services Inc.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message