From owner-freebsd-security Sun Mar 3 11:36:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-64-218-107-117.dsl.kscymo.swbell.net [64.218.107.117]) by hub.freebsd.org (Postfix) with ESMTP id 7034637B402 for ; Sun, 3 Mar 2002 11:36:10 -0800 (PST) Received: from win2kpro (win2kpro.happydays.local [10.240.98.11]) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with SMTP id g23Ja9e33185 for ; Sun, 3 Mar 2002 13:36:09 -0600 (CST) (envelope-from dweimer@happydays.dyndns.org) Reply-To: From: "Dean E. weimer" To: Subject: RE: ipfw and DHCP Date: Sun, 3 Mar 2002 13:36:08 -0600 Message-ID: <000001c1c2ea$ab232eb0$0b62f00a@Happydays.Local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <20020303131353.H98814-100000@topperwein.dyndns.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris BeHanna Sent: Sunday, March 03, 2002 12:18 PM To: security@FreeBSD.ORG Subject: Re: ipfw and DHCP On Fri, 1 Mar 2002, David Wolfskill wrote: > >From: George.Giles@mcmail.vanderbilt.edu > >Date: Fri, 1 Mar 2002 07:52:26 -0600 > > >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script > >? > I saw many diferent scripting solutions for this one, but one thing I haven't seen, since oif seems to be defined as a variable, is it a NIC, or a ppp interface (tun0)?? If your external interface is through ppp there is a simple way to rebuild the rules when your IP changes, simply use the ppp.linkup file. When I used ipfw I had the following in my ppp.linkup file. !bg /etc/firewall/ipfwrules Then I had the following at the begining of my ipfwrules script. # My Internet IP Address Defined numips=`ifconfig tun0 | grep -c "inet "` lastnum=$(($numips+2)) myip=`ifconfig tun0 | grep -n "inet " | grep "$lastnum:" | awk '{print $3}'` The script then proceded to flush the existing rule set, and load the new ones with th correct IP. > >From "man ipfw": > > src and dst: > any | me | [not]
[ports] > > Specifying any makes the rule match any IP address. > > Specifying me makes the rule match any IP address configured on > an interface in the system. > > "me" can be somewhat expensive, however. For those rules for >which I want to use my address instead of my external interface, I do >this near the top of /etc/rc.firewall: > > oif=dc0 > oip="`ifconfig ${oif} inet | grep inet | awk '{ print $2 }'`" > onet="`echo ${oip} | sed -E 's/\.[0-9]{1,3}$/.0/'`" > >Note that this only works if your ISP (like mine) will continue to >give you the same address over and over as long as you're powered up >at lease renewal time. If that's not true, you're stuck with "me", >unless you can rewrite your rules to use only your external interface. > >-- >Chris BeHanna >Software Engineer (Remove "bogus" before responding.) >behanna@bogus.zbzoom.net >I was raised by a pack of wild corn dogs. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message