Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Mar 2010 16:17:22 -0500
From:      Walter <walterk1@earthlink.net>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        Questions <freebsd-questions@freebsd.org>
Subject:   Re: Setting firewall symbolic constants
Message-ID:  <4BB26A62.9020400@earthlink.net>
In-Reply-To: <4BB21253.7050702@infracaninophile.co.uk>
References:  <4BB1F429.7030407@earthlink.net> <4BB21253.7050702@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Matthew Seaman wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>  
>
>>Can these be set by the system automatically?  Specifically
>>$firewall_simple_onet?
>>    
>>
>If you switch to using PF rather than IPFW, this is very easy.
>
>In a PF ruleset, the name of an interface is expanded to a list of all
>of the IP numbers configured on it.  So you'll frequently see rules like
>this:
>
>ext_if = "de0"
>[...]
>pass log on $ext_if proto tcp  \
>     from any to any port smtp \
>     flags S/SA keep state
>
>You can also say $ext_if:network to mean the locally attached network on
>that inerface.  Works with both IPv4 and IPv6.
>
>One important wrnkle -- normally the resolution from interface name to
>IP number happens just once, when the rules are initially loaded.  If
>your interface has a dynamic address, simple enclose the i/f name in
>brackets, like so: ($ext_if)  This causes PF to update the mapping as
>the IP number changes.  It's less efficient, which is why it isn't
>usually done for a machine with fixed addresses, but that won't cause
>you any problems for typical DSL or even Cable speeds.
>
>	Cheers,
>
>	Matthew
>
>  
>
Thanks, that's good to know, but I think I'll still plunge along
to work a solution for ipfw; it seems to be the default.  And along
the way I can detect and assign both interfaces and addresses
automatically so I can make it work "magically" (crosses fingers)
on computers with different cards without me having to configure
them.

Walter

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BB26A62.9020400>