Date: Mon, 19 Jun 2000 00:31:56 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: The Clark Family <res03db2@gte.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Updating ipfw at dhcp induced ip address change. Message-ID: <20000619003156.A642@hades.hell.gr> In-Reply-To: <Pine.BSF.4.21.0006161851150.14076-100000@orthanc.dsl.gtei.net>; from res03db2@gte.net on Fri, Jun 16, 2000 at 07:01:24PM -0700 References: <Pine.BSF.4.21.0006161851150.14076-100000@orthanc.dsl.gtei.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 16, 2000 at 07:01:24PM -0700, The Clark Family wrote: > > My question is; if I write my filter and natd rules to refer to fxp1 > instead of my dhcp assigned address, will dhcpd bump ipfw for me > when/if dhcp changes my address. Well, yeah it is supposed to work that way. I had been using ipfw with ppp0 on a dialup connection, and all my rules were either: pass ... in recv ppp0 block ... in recv ppp0 or pass ... out xmit ppp0 block ... out xmit ppp0 The same is true, of course, with Darren's ipfilter that I'm using now. You can still make rules that act on an "interface level" and forget all about your dynamic IP address. Some of the rule I have now look like: # by default block all packets from/to 127.0.0.0/8 block in proto ip from 127.0.0.0/8 to any block in proto ip from any to 127.0.0.0/8 # then let only those that traverse lo0 pass pass in quick on lo0 proto ip from 127.0.0.0/8 to any pass in quick on lo0 proto ip from any to 127.0.0.0/8 The equivalent in ipfw would look like: # pass all packets from/to 127.0.0.0/8 when they traverse lo0 pass ip from any to 127.0.0.0/8 via lo0 pass ip from 127.0.0.0/8 to any via lo0 # deny when they traverse some other interface deny ip from any to 127.0.0./8 deny ip from 127.0.0./8 to any Filtering with the interface as the basis of the rules makes it easy to block all the interfaces that are *not* lo0, without knowing their specific IP addresses, or how many they are :-) > I'm also thinking that I'll hang squid and apache on the loopback > interface at non privileged ports. Nice thought, unless you want these visible from the outside, too. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public key: finger keramida@ceid.upatras.gr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000619003156.A642>