Date: Sun, 3 Mar 2002 13:17:32 -0500 (EST) From: Chris BeHanna <behanna@zbzoom.net> To: <security@freebsd.org> Subject: Re: ipfw and DHCP Message-ID: <20020303131353.H98814-100000@topperwein.dyndns.org> In-Reply-To: <200203011358.g21Dw6i06900@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Mar 2002, David Wolfskill wrote:
> >From: George.Giles@mcmail.vanderbilt.edu
> >Date: Fri, 1 Mar 2002 07:52:26 -0600
>
> >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script
> >?
>
> >From "man ipfw":
>
> src and dst:
> any | me | [not] <address/mask> [ports]
>
> Specifying any makes the rule match any IP address.
>
> Specifying me makes the rule match any IP address configured on
> an interface in the system.
"me" can be somewhat expensive, however. For those rules for
which I want to use my address instead of my external interface, I do
this near the top of /etc/rc.firewall:
oif=dc0
oip="`ifconfig ${oif} inet | grep inet | awk '{ print $2 }'`"
onet="`echo ${oip} | sed -E 's/\.[0-9]{1,3}$/.0/'`"
Note that this only works if your ISP (like mine) will continue to
give you the same address over and over as long as you're powered up
at lease renewal time. If that's not true, you're stuck with "me",
unless you can rewrite your rules to use only your external interface.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020303131353.H98814-100000>