Date: Wed, 16 May 2001 12:09:11 -0400 From: "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: risks of ip-forwarding, without ipf/ipfw Message-ID: <3B02A627.533CD030@lmc.ericsson.se> References: <20010516155615.40395.qmail@web14503.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There's a few issues with that here... You can run natd with -dynamic: -dynamic If the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interface's IP number is changed, natd will dynamically alter its concept of the alias address. For the matching rules, you can use the "me" keyword that: src and dst: any | me | [not] <address/mask> [ports] Specifying me makes the rule match any IP number configured on an interface in the system. This is a computationally semi-expen sive check which should be used with care. So yes, it's smart. A. Jano Lukac wrote: > > If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun > ipf/ipfw/natd everytime? Or is freebsd smart about this (unlike the unnamed > arctic semi-counterpart which uses ipchains/iptables)? -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B02A627.533CD030>