From owner-freebsd-security  Sun Mar  3 10:17:42 2002
Delivered-To: freebsd-security@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203])
	by hub.freebsd.org (Postfix) with ESMTP id 9FDAD37B402
	for <security@freebsd.org>; Sun,  3 Mar 2002 10:17:38 -0800 (PST)
Received: from topperwein (topperwein [192.168.168.10])
	by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g23IHbL99065
	for <security@freebsd.org>; Sun, 3 Mar 2002 13:17:38 -0500 (EST)
	(envelope-from behanna@zbzoom.net)
Date: Sun, 3 Mar 2002 13:17:32 -0500 (EST)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: <security@freebsd.org>
Subject: Re: ipfw and DHCP
In-Reply-To: <200203011358.g21Dw6i06900@bunrab.catwhisker.org>
Message-ID: <20020303131353.H98814-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 1 Mar 2002, David Wolfskill wrote:

> >From: George.Giles@mcmail.vanderbilt.edu
> >Date: Fri, 1 Mar 2002 07:52:26 -0600
>
> >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script
> >?
>
> >From "man ipfw":
>
>      src and dst:
>              any | me | [not] <address/mask> [ports]
>
>              Specifying any makes the rule match any IP address.
>
>              Specifying me makes the rule match any IP address configured on
>              an interface in the system.

    "me" can be somewhat expensive, however.  For those rules for
which I want to use my address instead of my external interface, I do
this near the top of /etc/rc.firewall:

    oif=dc0
    oip="`ifconfig ${oif} inet | grep inet | awk '{ print $2 }'`"
	onet="`echo ${oip} | sed -E 's/\.[0-9]{1,3}$/.0/'`"

Note that this only works if your ISP (like mine) will continue to
give you the same address over and over as long as you're powered up
at lease renewal time.  If that's not true, you're stuck with "me",
unless you can rewrite your rules to use only your external interface.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message