From owner-freebsd-net  Mon May 20 15:23:30 2002
Delivered-To: freebsd-net@freebsd.org
Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2])
	by hub.freebsd.org (Postfix) with ESMTP id BD79F37B406
	for <net@freebsd.org>; Mon, 20 May 2002 15:23:11 -0700 (PDT)
Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19)
	id <J9WRP94M>; Mon, 20 May 2002 18:23:20 -0400
Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C96016C9B4C@exchange.corp.cre8.com>
From: Scott Ullrich <sullrich@CRE8.COM>
To: 'John Angelmo' <john@veidit.net>, net@freebsd.org
Subject: RE: "dynamic" ipfw
Date: Mon, 20 May 2002 18:23:20 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C2004C.F2595350"
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2004C.F2595350
Content-Type: text/plain;
	charset="iso-8859-1"

Check out http://www.bsdshell.com 's EtherFirewall project.   It will allow
you to maintain Mac addresses with your IPFW rules.  

Now regarding the hostname to ip address conversion for firewall rules.  I
have a feeling it is translating the IP address at the time of entry so this
is not really going to work for your round-robin situation.  EtherFirewall
is the clear choice for this.

Good luck!

-Scott


> -----Original Message-----
> From: John Angelmo [mailto:john@veidit.net]
> Sent: Monday, May 20, 2002 1:40 PM
> To: net@freebsd.org
> Subject: "dynamic" ipfw
> 
> 
> Hello
> 
> I have a small problem with IPFW
> 
> How can I handle adding and removing rules based on IP/MAC per user?
> I can add a rule for a specific IP/MAC without the need to 
> flush but can 
> I remove it in the same way?
> 
> now lets say I have a user that only needs access to it's mailserver 
> mail.user.com with pop3 and smtp
> then the rule for pop3 would be something like
> add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't 
> work here right?)
> 
> Now mail.user.com uses runrobin so the IP changes from request to 
> request but dosn't the IPFW resolve the IP when its added to 
> the rules, 
> how can this be solved for the user?
> 
> /John
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 

------_=_NextPart_001_01C2004C.F2595350
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: &quot;dynamic&quot; ipfw</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Check out <A HREF=3D"http://www.bsdshell.com" =
TARGET=3D"_blank">http://www.bsdshell.com</A> 's EtherFirewall =
project.&nbsp;&nbsp; It will allow you to maintain Mac addresses with =
your IPFW rules.&nbsp; </FONT></P>

<P><FONT SIZE=3D2>Now regarding the hostname to ip address conversion =
for firewall rules.&nbsp; I have a feeling it is translating the IP =
address at the time of entry so this is not really going to work for =
your round-robin situation.&nbsp; EtherFirewall is the clear choice for =
this.</FONT></P>

<P><FONT SIZE=3D2>Good luck!</FONT>
</P>

<P><FONT SIZE=3D2>-Scott</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: John Angelmo [<A =
HREF=3D"mailto:john@veidit.net">mailto:john@veidit.net</A>]</FONT>
<BR><FONT SIZE=3D2>&gt; Sent: Monday, May 20, 2002 1:40 PM</FONT>
<BR><FONT SIZE=3D2>&gt; To: net@freebsd.org</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: &quot;dynamic&quot; ipfw</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Hello</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; I have a small problem with IPFW</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; How can I handle adding and removing rules =
based on IP/MAC per user?</FONT>
<BR><FONT SIZE=3D2>&gt; I can add a rule for a specific IP/MAC without =
the need to </FONT>
<BR><FONT SIZE=3D2>&gt; flush but can </FONT>
<BR><FONT SIZE=3D2>&gt; I remove it in the same way?</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; now lets say I have a user that only needs =
access to it's mailserver </FONT>
<BR><FONT SIZE=3D2>&gt; mail.user.com with pop3 and smtp</FONT>
<BR><FONT SIZE=3D2>&gt; then the rule for pop3 would be something =
like</FONT>
<BR><FONT SIZE=3D2>&gt; add allow ip from mail.user.com 110 to IP/HOST =
(MAC dosn't </FONT>
<BR><FONT SIZE=3D2>&gt; work here right?)</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Now mail.user.com uses runrobin so the IP =
changes from request to </FONT>
<BR><FONT SIZE=3D2>&gt; request but dosn't the IPFW resolve the IP when =
its added to </FONT>
<BR><FONT SIZE=3D2>&gt; the rules, </FONT>
<BR><FONT SIZE=3D2>&gt; how can this be solved for the user?</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; /John</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; To Unsubscribe: send mail to =
majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=3D2>&gt; with &quot;unsubscribe freebsd-net&quot; in the =
body of the message</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C2004C.F2595350--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message