From owner-freebsd-questions Sat Jun 17 15:10:19 2000 Delivered-To: freebsd-questions@freebsd.org Received: from smtppop1.gte.net (smtppop1pub.gte.net [206.46.170.20]) by hub.freebsd.org (Postfix) with ESMTP id 1285537B56F for ; Sat, 17 Jun 2000 15:10:16 -0700 (PDT) (envelope-from res03db2@gte.net) Received: from evrtwa1-ar4-146-005.dsl.gtei.net (evrtwa1-ar4-146-005.dsl.gtei.net [4.34.146.5]) by smtppop1.gte.net with ESMTP ; id RAA2963244 Sat, 17 Jun 2000 17:07:58 -0500 (CDT) Date: Sat, 17 Jun 2000 15:10:05 -0700 (PDT) From: The Clark Family X-Sender: res03db2@orthanc.dsl.gtei.net To: Giorgos Keramidas Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Updating ipfw at dhcp induced ip address change. In-Reply-To: <20000619003156.A642@hades.hell.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had read somewhere, that it was required to "bump" ipfw when an interface's address changes. NATD looks like it has a "dynamic" setting though. If I do have to "bump" ipfw to make sure the rules that reference fxp1 are reset, then I can do that from dhcpd's hook script. (I'm still learning about that.) The plan with squid is to have it act as a "web accelerator" for apache, and as a transparent proxy for the inside machines. I think it'll involve a fairly elaborate divert/ipfw setup. Thanks for the feedback. [RC] On Mon, 19 Jun 2000, Giorgos Keramidas wrote: > On Fri, Jun 16, 2000 at 07:01:24PM -0700, The Clark Family wrote: > > > > My question is; if I write my filter and natd rules to refer to fxp1 > > instead of my dhcp assigned address, will dhcpd bump ipfw for me > > when/if dhcp changes my address. > > Well, yeah it is supposed to work that way. I had been using ipfw with > ppp0 on a dialup connection, and all my rules were either: > > pass ... in recv ppp0 > block ... in recv ppp0 > or > pass ... out xmit ppp0 > block ... out xmit ppp0 > > The same is true, of course, with Darren's ipfilter that I'm using now. > You can still make rules that act on an "interface level" and forget all > about your dynamic IP address. Some of the rule I have now look like: > > # by default block all packets from/to 127.0.0.0/8 > block in proto ip from 127.0.0.0/8 to any > block in proto ip from any to 127.0.0.0/8 > # then let only those that traverse lo0 pass > pass in quick on lo0 proto ip from 127.0.0.0/8 to any > pass in quick on lo0 proto ip from any to 127.0.0.0/8 > > The equivalent in ipfw would look like: > > # pass all packets from/to 127.0.0.0/8 when they traverse lo0 > pass ip from any to 127.0.0.0/8 via lo0 > pass ip from 127.0.0.0/8 to any via lo0 > # deny when they traverse some other interface > deny ip from any to 127.0.0./8 > deny ip from 127.0.0./8 to any > > Filtering with the interface as the basis of the rules makes it easy to > block all the interfaces that are *not* lo0, without knowing their > specific IP addresses, or how many they are :-) > > > I'm also thinking that I'll hang squid and apache on the loopback > > interface at non privileged ports. > > Nice thought, unless you want these visible from the outside, too. > > -- > Giorgos Keramidas, < keramida @ ceid . upatras . gr > > For my public key: finger keramida@ceid.upatras.gr > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message