From owner-freebsd-stable@FreeBSD.ORG Fri Dec 7 15:29:16 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 698B76DF for ; Fri, 7 Dec 2012 15:29:16 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 13C2A8FC16 for ; Fri, 7 Dec 2012 15:29:15 +0000 (UTC) Received: by mail-vc0-f182.google.com with SMTP id fo14so665943vcb.13 for ; Fri, 07 Dec 2012 07:29:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5hOJzIo9kB76/w2G0BCPYbUqqeQD3HDmop++eTxKWdA=; b=ik0L/WZcwno9mTE5kpmMgSfY73zmDT0TNg15xIknDCdKISUmUOEfoaXYE9cbQMfkeF cyVxd3epteKflGLSv87NNRS1Fp6jwdx886xEwQROIwVUW6ln/3t/pf4IALKHKS6qoXa3 /VBaT+TwEfwmOrRkTVAvbqJW52vRwfRVbhTyIEmKD/b5ShC/4Bo2NZUQ3IaX5F3gwZUb ZfheHj26Xf7sRQp5erw0AE0P0wDp536qIHm4pKnGmN6HuFhIyNFcdjc91+/GjiI20fQ6 iaXR4473CL0BbdPuOJu9lThBNQojvxrAdpm3mgdUJy39fZl6sAlHhJ59hp6gUldCRNYJ mk7A== MIME-Version: 1.0 Received: by 10.52.98.105 with SMTP id eh9mr3520738vdb.11.1354894155434; Fri, 07 Dec 2012 07:29:15 -0800 (PST) Received: by 10.58.233.39 with HTTP; Fri, 7 Dec 2012 07:29:15 -0800 (PST) In-Reply-To: References: Date: Fri, 7 Dec 2012 15:29:15 +0000 Message-ID: Subject: Re: Using dhclient on WAN if on a box serving DHCP to LAN if From: Tom Evans To: Ronald Klop Content-Type: text/plain; charset=UTF-8 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2012 15:29:16 -0000 On Fri, Dec 7, 2012 at 12:25 PM, Ronald Klop wrote: > On Fri, 07 Dec 2012 12:38:45 +0100, Tom Evans > > What is in dhcpd.conf? > > Ronald. > dhcpd.conf is straightforward: option domain-name "xxxxx.com"; option subnet-mask 255.255.255.0; default-lease-time 3600; max-lease-time 86400; ddns-update-style none; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.200 192.168.1.253; option domain-name-servers 192.168.1.1; option routers 192.168.1.1; } Ian: I had already specified dhcpd_ifaces to be just the internal interface, which is why it had confused me! I haven't yet got any complaints from dhcpd about the subnet on the extif, so far as I can see. For clarity, this is my pf.conf, which again is very simple: ext_if="ale0" int_if="{ em0 }" antispoof_if="{ lo0 em0 }" tcp_services="{ 22 443 }" icmp_types="{ echoreq echorep unreach }" # options set block-policy return set loginterface $ext_if set skip on lo0 # tables table persist # scrub #match in all scrub (no-df) # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # filter rules block in pass out keep state anchor "ftp-proxy/*" antispoof quick for $antispoof_if block in quick on $ext_if from label "ssh bruteforce" pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if Ideally, I would like the configuration to not specify the details of the configuration. Eg, if I instead had a dynamic IP, how could I configure that, as I would not know IP, netmask, broadcast and router addresses beforehand. Cheers Tom