From owner-freebsd-questions@FreeBSD.ORG Tue Mar 30 15:01:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDCDD106566B for ; Tue, 30 Mar 2010 15:01:48 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 5A8EE8FC23 for ; Tue, 30 Mar 2010 15:01:48 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o2UF1ejZ079781 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 30 Mar 2010 16:01:41 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BB21253.7050702@infracaninophile.co.uk> Date: Tue, 30 Mar 2010 16:01:39 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: Walter References: <4BB1F429.7030407@earthlink.net> In-Reply-To: <4BB1F429.7030407@earthlink.net> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on happy-idiot-talk.infracaninophile.co.uk Cc: Questions Subject: Re: Setting firewall symbolic constants X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2010 15:01:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/03/2010 13:52:57, Walter wrote: > In the example firewall rule set in rc.firewall, there are > the following lines: > > # set these to your outside interface network > oif="$firewall_simple_oif" > onet="$firewall_simple_onet" > > # set these to your inside interface network > iif="$firewall_simple_iif" > inet="$firewall_simple_inet" > > Can these be set by the system automatically? Specifically > $firewall_simple_onet? > > When the IP changes on the ISP's side, I'd like to > have this detected and updated in the rules without my > manual intervention. Do I need to write a utility and > run in crontab? Or is there a better way? > > I'm off-list, so please reply directly to this e-mail addy. If you switch to using PF rather than IPFW, this is very easy. In a PF ruleset, the name of an interface is expanded to a list of all of the IP numbers configured on it. So you'll frequently see rules like this: ext_if = "de0" [...] pass log on $ext_if proto tcp \ from any to any port smtp \ flags S/SA keep state You can also say $ext_if:network to mean the locally attached network on that inerface. Works with both IPv4 and IPv6. One important wrnkle -- normally the resolution from interface name to IP number happens just once, when the rules are initially loaded. If your interface has a dynamic address, simple enclose the i/f name in brackets, like so: ($ext_if) This causes PF to update the mapping as the IP number changes. It's less efficient, which is why it isn't usually done for a machine with fixed addresses, but that won't cause you any problems for typical DSL or even Cable speeds. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuyElMACgkQ8Mjk52CukIy6LQCePtDUIteOMTnUQVYBZ2eUogfU nUgAn1U87/YBfSw/jBaP1nn9370zbzEN =eUTt -----END PGP SIGNATURE-----