Date: Tue, 30 Mar 2010 16:01:39 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Walter <walterk1@earthlink.net> Cc: Questions <freebsd-questions@freebsd.org> Subject: Re: Setting firewall symbolic constants Message-ID: <4BB21253.7050702@infracaninophile.co.uk> In-Reply-To: <4BB1F429.7030407@earthlink.net> References: <4BB1F429.7030407@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 30/03/2010 13:52:57, Walter wrote:
> In the example firewall rule set in rc.firewall, there are
> the following lines:
>
> # set these to your outside interface network
> oif="$firewall_simple_oif"
> onet="$firewall_simple_onet"
>
> # set these to your inside interface network
> iif="$firewall_simple_iif"
> inet="$firewall_simple_inet"
>
> Can these be set by the system automatically? Specifically
> $firewall_simple_onet?
>
> When the IP changes on the ISP's side, I'd like to
> have this detected and updated in the rules without my
> manual intervention. Do I need to write a utility and
> run in crontab? Or is there a better way?
>
> I'm off-list, so please reply directly to this e-mail addy.
If you switch to using PF rather than IPFW, this is very easy.
In a PF ruleset, the name of an interface is expanded to a list of all
of the IP numbers configured on it. So you'll frequently see rules like
this:
ext_if = "de0"
[...]
pass log on $ext_if proto tcp \
from any to any port smtp \
flags S/SA keep state
You can also say $ext_if:network to mean the locally attached network on
that inerface. Works with both IPv4 and IPv6.
One important wrnkle -- normally the resolution from interface name to
IP number happens just once, when the rules are initially loaded. If
your interface has a dynamic address, simple enclose the i/f name in
brackets, like so: ($ext_if) This causes PF to update the mapping as
the IP number changes. It's less efficient, which is why it isn't
usually done for a machine with fixed addresses, but that won't cause
you any problems for typical DSL or even Cable speeds.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuyElMACgkQ8Mjk52CukIy6LQCePtDUIteOMTnUQVYBZ2eUogfU
nUgAn1U87/YBfSw/jBaP1nn9370zbzEN
=eUTt
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BB21253.7050702>