Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 May 2001 12:09:11 -0400
From:      "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: risks of ip-forwarding, without ipf/ipfw
Message-ID:  <3B02A627.533CD030@lmc.ericsson.se>
References:  <20010516155615.40395.qmail@web14503.mail.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
There's a few issues with that here...

You can run natd with -dynamic:

     -dynamic    If the -n or -interface option is used, natd will
monitor the
                 routing socket for alterations to the interface
passed.  If
                 the interface's IP number is changed, natd will
dynamically
                 alter its concept of the alias address.

For the matching rules, you can use the "me" keyword that:

     src and dst:
             any | me | [not] <address/mask> [ports]

             Specifying me makes the rule match any IP number configured
on an
             interface in the system.  This is a computationally
semi-expen­
             sive check which should be used with care.

So yes, it's smart.

A.

Jano Lukac wrote:
> 
> If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun
> ipf/ipfw/natd everytime?  Or is freebsd smart about this (unlike the unnamed
> arctic semi-counterpart which uses ipchains/iptables)?

--
La sémantique est la gravité de l'abstraction.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B02A627.533CD030>