From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 2 16:20:34 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BA0D16A4D6 for ; Mon, 2 Aug 2004 16:20:34 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DE3E43D31 for ; Mon, 2 Aug 2004 16:20:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i72GKY0q062294 for ; Mon, 2 Aug 2004 16:20:34 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i72GKYQM062293; Mon, 2 Aug 2004 16:20:34 GMT (envelope-from gnats) Resent-Date: Mon, 2 Aug 2004 16:20:34 GMT Resent-Message-Id: <200408021620.i72GKYQM062293@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Roderick van Domburg Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F1ED16A4CE for ; Mon, 2 Aug 2004 16:14:21 +0000 (GMT) Received: from magog.student.utwente.nl (magog.student.utwente.nl [130.89.162.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CF7B43D62 for ; Mon, 2 Aug 2004 16:14:20 +0000 (GMT) (envelope-from roderick@magog.student.utwente.nl) Received: from magog.student.utwente.nl (localhost [127.0.0.1]) i72GEJCB066674 for ; Mon, 2 Aug 2004 18:14:19 +0200 (CEST) (envelope-from roderick@magog.student.utwente.nl) Received: (from roderick@localhost) by magog.student.utwente.nl (8.13.1/8.13.1/Submit) id i72GEIQI066673; Mon, 2 Aug 2004 18:14:18 +0200 (CEST) (envelope-from roderick) Message-Id: <200408021614.i72GEIQI066673@magog.student.utwente.nl> Date: Mon, 2 Aug 2004 18:14:18 +0200 (CEST) From: Roderick van Domburg To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: conf/69911: [patch] Revamp rc.firewall to transparently support both DHCP and static configuration X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 16:20:34 -0000 >Number: 69911 >Category: conf >Synopsis: [patch] Revamp rc.firewall to transparently support both DHCP and static configuration >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Aug 02 16:20:34 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Roderick van Domburg >Release: FreeBSD 5.2-CURRENT sparc64 >Organization: University of Twente >Environment: System: FreeBSD magog.student.utwente.nl 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Mon Aug 2 06:16:33 CEST 2004 roderick@magog.student.utwente.nl:/usr/obj/usr/src/sys/MAGOG sparc64 >Description: In the past, firewall support in DHCP environments has been lacking. Manually editing rc.firewall upon every new networking configuration is a hassle that keeps many users busy. Such users include roaming laptop users as well as desktops in enterprise DHCP environments. Additionally, many DHCP users are unsure which rules to use to securely allow DHCP traffic. >How-To-Repeat: >Fix: The attached patch is completely transparent in both DHCP and static environments. Besides supporting roaming configurations, it has also become easier to configure because it only needs the name of the interface instead of the IP address, netmask and network. This has the additional advantage that there is no need to edit both /etc/rc.conf _and_ /etc/rc.firewall when a static network configuration changes. Roaming users only need to create a simple /etc/dhclient-exit-hooks to reload the firewall when necessary, like so: #!/bin/sh if [ "${new_ip_address}" != "${old_ip_address}" ] || [ "${new_broadcast_address}" != "${old_broadcast_address}" ] || [ "${new_subnet_mask}" != "${old_subnet_mask}" ]; then ( /etc/rc.d/ipfw restart ) fi --- rc.firewall-dhcp.patch begins here --- --- rc.firewall.old Mon Aug 2 17:30:42 2004 +++ rc.firewall Mon Aug 2 17:30:19 2004 @@ -150,10 +150,13 @@ # against people from outside your own network. ############ - # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" - ip="192.0.2.1" + # set this to your interface... + _if="hme0" + + # ... and these will be set up automatically + ip=`ifconfig $_if | grep "inet " | awk '{print $2}'` + mask=`ifconfig $_if | grep "inet " | awk '{print $4}'` + net=`ifconfig $_if | grep "inet " | awk '{print $6}'` setup_loopback @@ -181,6 +184,24 @@ # Allow NTP queries out in the world ${fwcmd} add pass udp from ${ip} to any 123 keep-state + + # If using DHCP, allow DHCP queries out in the world + # see if this interface is configured through DHCP + eval _test_if="\$ifconfig_${_if}" + case ${_test_if} in + [Dd][Hh][Cc][Pp]) + if [ "$ip" = "0.0.0.0" ]; then + # Network is initializing + ${fwcmd} add pass udp from ${ip} to any 67 keep-state + ${fwcmd} add pass udp from any to ${net} 68 keep-state + else + # Network already is configured. Allow queries "any" queries + # because the DHCP server may have moved. + ${fwcmd} add pass udp from ${ip} to any 67 keep-state + ${fwcmd} add pass udp from any to ${ip} 68 keep-state + fi + ;; + esac # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel --- rc.firewall-dhcp.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: