From owner-freebsd-hackers Tue Jul 13 6: 3:36 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from unix2.it-datacntr.louisville.edu (unix2.it-datacntr.louisville.edu [136.165.4.28]) by hub.freebsd.org (Postfix) with ESMTP id 80B6B14CA8 for ; Tue, 13 Jul 1999 06:03:33 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.louisville.edu [136.165.1.20]) by unix2.it-datacntr.louisville.edu (8.8.8/8.8.8) with ESMTP id JAA26650 for ; Tue, 13 Jul 1999 09:02:52 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id JAA09793 for freebsd-hackers@freebsd.org; Tue, 13 Jul 1999 09:03:32 -0400 (EDT) Message-ID: <19990713090332.A8897@homer.louisville.edu> Date: Tue, 13 Jul 1999 09:03:32 -0400 From: Keith Stevenson To: freebsd-hackers@freebsd.org Subject: Re: Setting up a firewall with dynamic IPs References: <199907130856.QAA12434@ariadne.tensor.pgs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Kris Kennaway on Tue, Jul 13, 1999 at 10:16:32PM +0930 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jul 13, 1999 at 10:16:32PM +0930, Kris Kennaway wrote: > On Tue, 13 Jul 1999, Stephen Hocking-Senior Programmer PGS Tensor Perth wrote: > > > I was checking out the firewall setup in /etc/rc.firewall, and noticed that > > the simple example relied on a fixed IP address for the external interface. I > > don't know ahead of time what IP address is going to be allocated to me before > > I dial up. Would it be possible to specify an interface (tun0) rather than an > > IP address? > > You could probably do it from /etc/ppp/ppp.linkup, which knows your IP address > as MYADDR. But if you just have asingle machine on the end of the dialup then > I find I can get away with just specifying the netmask from which the dialup > IPs are assigned in place of a single address - all that can happen is that > packets get through your firewall destined to a nonexistent address (i.e. if > you allow incoming port Y traffic then people can send to port Y on > nonexistent IP addresses (i.e. your peer addresses) which will be dropped by > the kernel). Keep in mind that if securelevel > 2, the ipfw rules can not be changed. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message