From owner-freebsd-hackers  Tue Jul 13  6:29:43 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from mailgw00.execpc.com (mailgw00.execpc.com [169.207.1.78])
	by hub.freebsd.org (Postfix) with ESMTP id 885B5152F3
	for <hackers@freebsd.org>; Tue, 13 Jul 1999 06:29:41 -0700 (PDT)
	(envelope-from hamilton@pobox.com)
Received: from woodstock.monkey.net (obica-1-175.mdm.mkt.execpc.com [169.207.90.49])
	by mailgw00.execpc.com (8.9.1) id IAA27339;
	Tue, 13 Jul 1999 08:29:33 -0500
Received: from pobox.com (localhost [127.0.0.1])
	by woodstock.monkey.net (Postfix) with ESMTP
	id 342EF200; Tue, 13 Jul 1999 08:29:30 -0500 (CDT)
To: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
Cc: Stephen Hocking-Senior Programmer PGS Tensor Perth <shocking@prth.pgs.com>,
	hackers@freebsd.org
Subject: Re: Setting up a firewall with dynamic IPs 
In-reply-to: Your message of "Tue, 13 Jul 1999 22:16:32 +0930."
             <Pine.OSF.4.10.9907132210380.2013-100000@bragg> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 13 Jul 1999 08:29:29 -0500
From: Jon Hamilton <hamilton@pobox.com>
Message-Id: <19990713132930.342EF200@woodstock.monkey.net>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


In message <Pine.OSF.4.10.9907132210380.2013-100000@bragg>, Kris Kennaway wrote
:
} On Tue, 13 Jul 1999, Stephen Hocking-Senior Programmer PGS Tensor Perth wrote
} :
} 
} > I was checking out the firewall setup in /etc/rc.firewall, and noticed 
} > that the simple example relied on a fixed IP address for the external 
} > interface.  I don't know ahead of time what IP address is going to be 
} > allocated to me before I dial up. Would it be possible to specify an 
} > interface (tun0) rather than an IP address?
} 
} You could probably do it from /etc/ppp/ppp.linkup, which knows your IP 
} address as MYADDR. But if you just have asingle machine on the end of the 
} dialup then

You can do it as the original poster was thinking as well by specifying the
"recv $interface" parameter.  See ipfw(8) for details.

} I find I can get away with just specifying the netmask from which the dialup
} IPs are assigned in place of a single address - all that can happen is that
} packets get through your firewall destined to a nonexistent address (i.e. if
} you allow incoming port Y traffic then people can send to port Y on
} nonexistent IP addresses (i.e. your peer addresses) which will be dropped by
} the kernel).

That approach will lose if you change ISPs or if your ISP changes or expands
its dynamic IP pool.  There's also a small window between the time your
ppp connection is established and the time ppp.linkup is executed; better
to do this based on interface.

-- 
   Jon Hamilton  
   hamilton@pobox.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message