Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Jul 1999 08:29:29 -0500
From:      Jon Hamilton <hamilton@pobox.com>
To:        Kris Kennaway <kkennawa@physics.adelaide.edu.au>
Cc:        Stephen Hocking-Senior Programmer PGS Tensor Perth <shocking@prth.pgs.com>, hackers@freebsd.org
Subject:   Re: Setting up a firewall with dynamic IPs 
Message-ID:  <19990713132930.342EF200@woodstock.monkey.net>
In-Reply-To: Your message of "Tue, 13 Jul 1999 22:16:32 %2B0930." <Pine.OSF.4.10.9907132210380.2013-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help 

In message <Pine.OSF.4.10.9907132210380.2013-100000@bragg>, Kris Kennaway wrote
:
} On Tue, 13 Jul 1999, Stephen Hocking-Senior Programmer PGS Tensor Perth wrote
} :
} 
} > I was checking out the firewall setup in /etc/rc.firewall, and noticed 
} > that the simple example relied on a fixed IP address for the external 
} > interface.  I don't know ahead of time what IP address is going to be 
} > allocated to me before I dial up. Would it be possible to specify an 
} > interface (tun0) rather than an IP address?
} 
} You could probably do it from /etc/ppp/ppp.linkup, which knows your IP 
} address as MYADDR. But if you just have asingle machine on the end of the 
} dialup then

You can do it as the original poster was thinking as well by specifying the
"recv $interface" parameter.  See ipfw(8) for details.

} I find I can get away with just specifying the netmask from which the dialup
} IPs are assigned in place of a single address - all that can happen is that
} packets get through your firewall destined to a nonexistent address (i.e. if
} you allow incoming port Y traffic then people can send to port Y on
} nonexistent IP addresses (i.e. your peer addresses) which will be dropped by
} the kernel).

That approach will lose if you change ISPs or if your ISP changes or expands
its dynamic IP pool.  There's also a small window between the time your
ppp connection is established and the time ppp.linkup is executed; better
to do this based on interface.

-- 
   Jon Hamilton  
   hamilton@pobox.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990713132930.342EF200>