From owner-freebsd-security  Fri Jul  3 23:52:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA17490
          for freebsd-security-outgoing; Fri, 3 Jul 1998 23:52:41 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from infowest.com (infowest.com [204.17.177.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA17477
          for <security@freebsd.org>; Fri, 3 Jul 1998 23:52:39 -0700 (PDT)
          (envelope-from agifford@infowest.com)
Received: from infowest.com (liberty.infowest.com [207.49.60.254])
	by infowest.com (8.8.8/8.8.8) with ESMTP id AAA14261;
	Sat, 4 Jul 1998 00:50:55 -0600 (MDT)
Message-ID: <359DD0C3.B683728B@infowest.com>
Date: Sat, 04 Jul 1998 00:50:43 -0600
From: "Aaron D. Gifford" <agifford@infowest.com>
X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.6-STABLE i386)
MIME-Version: 1.0
To: Louie <louie@sunra.csci.unt.edu>
CC: security@FreeBSD.ORG
Subject: Re: ipfw with ppp -alias setup
References: <199807040158.UAA20374@sunra.csci.unt.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On my home FreeBSD box, I use ipfw filters as well.  Instead of running rc.firewall every
time I connect to my ISP, I use the /etc/ppp/ppp.linkup to execute my own custom ipfw
script for me automatically.  Here's what I've been using in /etc/ppp/ppp.linkup:


MYADDR:
 delete ALL
 add 0 0 HISADDR
 ! sh -c "/bin/sh /etc/rc.firewall &"

I've basicall gutted rc.firewall and rewrote many parts for my own setup.  I use
ppp.linkup to execute it every time I establish a connection to my ISP.  Near the top of
my custom rc.firewall script is this:


ip=`/usr/bin/netstat -in | perl -ne 'print $1 if (
    /^tun0\s+[0-9]+\s+[0-9\.]+\s+([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+/
    );'`


(I hope my mail program doesn't wrap the perl expression line -- it is rather long)

It basically runs the 'netstat -in' command and then looks at the output for a line like:

tun0  1500  10.2.6     10.2.6.112    0     0        0     0      0
Name   Mtu  Network    Address       Ipkts Ierrs    Opkts Oerrs  Coll

The perl expression grabs the IP address (in the above line that would be '10.2.6.112')
and spits it back out to be assigned to the 'ip' shell script variable, which I use
extensively later on in my own rc.firewall script.

Every time my modem connects, my firewall setup is automatically reset and updated for my
new IP address.

I haven't tried to see if it is possible to pass MYADDR as a parameter to the script in
/etc/ppp/ppp.linkup.  That might work too, but since I have a working setup for now, I
haven't been motivated to change things to find out.

I don't know if this is of any use to you in your situation, esp. since you mentioned that
this sort of thing is not what you were looking for or asking.  

Aaron out.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message