From owner-freebsd-questions@FreeBSD.ORG Tue Mar 30 21:17:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36F73106566B for ; Tue, 30 Mar 2010 21:17:34 +0000 (UTC) (envelope-from walterk1@earthlink.net) Received: from pop-tawny.atl.sa.earthlink.net (pop-tawny.atl.sa.earthlink.net [207.69.195.67]) by mx1.freebsd.org (Postfix) with ESMTP id 11FCE8FC1F for ; Tue, 30 Mar 2010 21:17:33 +0000 (UTC) Received: from user-0c6sn0e.cable.mindspring.com ([24.110.92.14] helo=[192.168.0.100]) by pop-tawny.atl.sa.earthlink.net with esmtp (Exim 3.36 #1) id 1NwioL-0002WV-00; Tue, 30 Mar 2010 17:17:21 -0400 Message-ID: <4BB26A62.9020400@earthlink.net> Date: Tue, 30 Mar 2010 16:17:22 -0500 From: Walter User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Seaman References: <4BB1F429.7030407@earthlink.net> <4BB21253.7050702@infracaninophile.co.uk> In-Reply-To: <4BB21253.7050702@infracaninophile.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Questions Subject: Re: Setting firewall symbolic constants X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2010 21:17:34 -0000 Matthew Seaman wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >>Can these be set by the system automatically? Specifically >>$firewall_simple_onet? >> >> >If you switch to using PF rather than IPFW, this is very easy. > >In a PF ruleset, the name of an interface is expanded to a list of all >of the IP numbers configured on it. So you'll frequently see rules like >this: > >ext_if = "de0" >[...] >pass log on $ext_if proto tcp \ > from any to any port smtp \ > flags S/SA keep state > >You can also say $ext_if:network to mean the locally attached network on >that inerface. Works with both IPv4 and IPv6. > >One important wrnkle -- normally the resolution from interface name to >IP number happens just once, when the rules are initially loaded. If >your interface has a dynamic address, simple enclose the i/f name in >brackets, like so: ($ext_if) This causes PF to update the mapping as >the IP number changes. It's less efficient, which is why it isn't >usually done for a machine with fixed addresses, but that won't cause >you any problems for typical DSL or even Cable speeds. > > Cheers, > > Matthew > > > Thanks, that's good to know, but I think I'll still plunge along to work a solution for ipfw; it seems to be the default. And along the way I can detect and assign both interfaces and addresses automatically so I can make it work "magically" (crosses fingers) on computers with different cards without me having to configure them. Walter