OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dean E. weimer (dweimerhappydays.dyndns.org)
Date: Sun Mar 03 2002 - 13:36:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: owner-freebsd-securityFreeBSD.ORG
    [mailto:owner-freebsd-securityFreeBSD.ORG]On Behalf Of Chris BeHanna
    Sent: Sunday, March 03, 2002 12:18 PM
    To: securityFreeBSD.ORG
    Subject: Re: ipfw and DHCP

    On Fri, 1 Mar 2002, David Wolfskill wrote:

    > >From: George.Gilesmcmail.vanderbilt.edu
    > >Date: Fri, 1 Mar 2002 07:52:26 -0600
    >
    > >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall
    script
    > >?
    >
    I saw many diferent scripting solutions for this one, but one thing I
    haven't seen, since oif seems to be defined as a variable, is it a NIC, or a
    ppp interface (tun0)??

    If your external interface is through ppp there is a simple way to rebuild
    the rules when your IP changes, simply use the ppp.linkup file. When I used
    ipfw I had the following in my ppp.linkup file.

     !bg /etc/firewall/ipfwrules

    Then I had the following at the begining of my ipfwrules script.

     # My Internet IP Address Defined
     numips=`ifconfig tun0 | grep -c "inet "`
     lastnum=$(($numips+2))
     myip=`ifconfig tun0 | grep -n "inet " | grep "$lastnum:" | awk '{print
    $3}'`

    The script then proceded to flush the existing rule set, and load the new
    ones with th correct IP.

    > >From "man ipfw":
    >
    > src and dst:
    > any | me | [not] <address/mask> [ports]
    >
    > Specifying any makes the rule match any IP address.
    >
    > Specifying me makes the rule match any IP address configured
    on
    > an interface in the system.
    >
    > "me" can be somewhat expensive, however. For those rules for
    >which I want to use my address instead of my external interface, I do
    >this near the top of /etc/rc.firewall:
    >
    > oif=dc0
    > oip="`ifconfig ${oif} inet | grep inet | awk '{ print $2 }'`"
    > onet="`echo ${oip} | sed -E 's/\.[0-9]{1,3}$/.0/'`"
    >
    >Note that this only works if your ISP (like mine) will continue to
    >give you the same address over and over as long as you're powered up
    >at lease renewal time. If that's not true, you're stuck with "me",
    >unless you can rewrite your rules to use only your external interface.
    >
    >--
    >Chris BeHanna
    >Software Engineer (Remove "bogus" before responding.)
    >behannabogus.zbzoom.net
    >I was raised by a pack of wild corn dogs.
    >
    >
    >To Unsubscribe: send mail to majordomoFreeBSD.org
    >with "unsubscribe freebsd-security" in the body of the message

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message