From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 10 20:06:17 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B308616A402
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Apr 2007 20:06:17 +0000 (UTC)
	(envelope-from fbsd06@mlists.homeunix.com)
Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178])
	by mx1.freebsd.org (Postfix) with ESMTP id 8E85C13C4C4
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Apr 2007 20:06:17 +0000 (UTC)
	(envelope-from fbsd06@mlists.homeunix.com)
Received: from gumby.homeunix.com (unknown [87.81.140.128])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.mxes.net (Postfix) with ESMTP id 3BABB5191F
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Apr 2007 16:06:16 -0400 (EDT)
Date: Tue, 10 Apr 2007 21:06:13 +0100
From: RW <fbsd06@mlists.homeunix.com>
To: freebsd-questions@freebsd.org
Message-ID: <20070410210613.6af9b48c@gumby.homeunix.com>
In-Reply-To: <44mz1gqbdf.fsf@be-well.ilk.org>
References: <200704101334.l3ADY1MJ006807@shadow.sixcompanies.com>
	<44mz1gqbdf.fsf@be-well.ilk.org>
X-Mailer: Claws Mail 2.8.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: ipfilter and DHCP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2007 20:06:17 -0000

On Tue, 10 Apr 2007 15:26:36 -0400
Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote:

> "J.D. Bronson" <jbronson-freebsd@sixcompanies.com> writes:
> 
> > Ok...what do you guys do to handle a change of IP/network via DHCP
> > with ipfilter?
> >
> > I have been told that if my IP changes while the machine is up and
> > running that ipfilter WON'T see this change and needs to be
> > told...supposedly it only reads the IP when it starts itself.
> >
> > If this is true, is there any easy way to fix this?
> > I run ipcheck.py and that can invoke a script if needed if it
> > notices and IP changed....
> >
> > ipnat.conf:
> > map bge1 192.43.82.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map bge1 192.43.82.0/24 -> 0/32 portmap tcp/udp auto
> > map bge1 192.43.82.0/24 -> 0/32
> >
> > rdr bge1 0.0.0.0/0 port 25 -> 192.43.82.170 port 25
> >
> >
> > I presume if it reads the IP and fills in the '0/32' + '0.0.0.0/0'
> > values at startup...having my IP change could be disasterous.
> 
> When your IP changes, you can have dhclient trigger a script of your
> choosing.  You can use that to alter your firewall rules.

Does it matter though?

# rcorder /etc/rc.d/* |egrep  "ipfil|dhc"
/etc/rc.d/ipfilter
/etc/rc.d/dhclient

ipfilter doesn't actually have an ip address for the interface when it
starts up, so it seem unlikely it can't cope with a new address.

It wouldn't hurt to do an "/etc/rc.d/ipfilter resync" though