Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Dec 2012 15:29:15 +0000
From:      Tom Evans <tevans.uk@googlemail.com>
To:        Ronald Klop <ronald-freebsd8@klop.yi.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Using dhclient on WAN if on a box serving DHCP to LAN if
Message-ID:  <CAFHbX1%2Bft3x5Ocw3pGtG9QTv5YFVRCtAWmfM8xE8oBVNVzgr-w@mail.gmail.com>
In-Reply-To: <op.wox4tlex8527sy@ronaldradial.versatec.local>
References:  <CAFHbX1LViMrh95sAm3uMJ1dt3RtUwKbPCtHQCTU2xaALaf7n7A@mail.gmail.com> <op.wox4tlex8527sy@ronaldradial.versatec.local>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Dec 7, 2012 at 12:25 PM, Ronald Klop
<ronald-freebsd8@klop.yi.org> wrote:
> On Fri, 07 Dec 2012 12:38:45 +0100, Tom Evans <tevans.uk@googlemail.com>
>
> What is in dhcpd.conf?
>
> Ronald.
>

dhcpd.conf is straightforward:

option domain-name "xxxxx.com";
option subnet-mask 255.255.255.0;

default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.200 192.168.1.253;
    option domain-name-servers 192.168.1.1;
    option routers 192.168.1.1;
}

Ian: I had already specified dhcpd_ifaces to be just the internal
interface, which is why it had confused me! I haven't yet got any
complaints from dhcpd about the subnet on the extif, so far as I can
see.

For clarity, this is my pf.conf, which again is very simple:

ext_if="ale0"
int_if="{ em0 }"
antispoof_if="{ lo0 em0 }"
tcp_services="{ 22 443 }"
icmp_types="{ echoreq echorep unreach }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo0
# tables
table <sshguard> persist
# scrub
#match in all scrub (no-df)
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for $antispoof_if
block in quick on $ext_if from <sshguard> label "ssh bruteforce"
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

Ideally, I would like the configuration to not specify the details of
the configuration. Eg, if I instead had a dynamic IP, how could I
configure that, as I would not know IP, netmask, broadcast and router
addresses beforehand.

Cheers

Tom

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFHbX1%2Bft3x5Ocw3pGtG9QTv5YFVRCtAWmfM8xE8oBVNVzgr-w>