conf/69911: [patch] Revamp rc.firewall to transparently support both DHCP and static configuration

Mon Aug 2 09:20:34 PDT 2004

>Number:         69911
>Category:       conf
>Synopsis:       [patch] Revamp rc.firewall to transparently support both DHCP and static configuration
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 02 16:20:34 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Roderick van Domburg
>Release:        FreeBSD 5.2-CURRENT sparc64
>Organization:
University of Twente
>Environment:
System: FreeBSD magog.student.utwente.nl 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Mon Aug 2 06:16:33 CEST 2004 roderick at magog.student.utwente.nl:/usr/obj/usr/src/sys/MAGOG sparc64


	
>Description:
In the past, firewall support in DHCP environments has been lacking.
Manually editing rc.firewall upon every new networking configuration
is a hassle that keeps many users busy. Such users include roaming
laptop users as well as desktops in enterprise DHCP environments.

Additionally, many DHCP users are unsure which rules to use to
securely allow DHCP traffic.
	
>How-To-Repeat:
	
>Fix:
The attached patch is completely transparent in both DHCP and static
environments. Besides supporting roaming configurations, it has also
become easier to configure because it only needs the name of the
interface instead of the IP address, netmask and network. This has
the additional advantage that there is no need to edit both
/etc/rc.conf _and_ /etc/rc.firewall when a static network
configuration changes.

Roaming users only need to create a simple /etc/dhclient-exit-hooks
to reload the firewall when necessary, like so:

#!/bin/sh
if [ "${new_ip_address}" != "${old_ip_address}" ] ||
   [ "${new_broadcast_address}" != "${old_broadcast_address}" ] ||
   [ "${new_subnet_mask}" != "${old_subnet_mask}" ]; then
  ( /etc/rc.d/ipfw restart )
fi

--- rc.firewall-dhcp.patch begins here ---
--- rc.firewall.old	Mon Aug  2 17:30:42 2004
+++ rc.firewall	Mon Aug  2 17:30:19 2004
@@ -150,10 +150,13 @@
 	# against people from outside your own network.
 	############
 
-	# set these to your network and netmask and ip
-	net="192.0.2.0"
-	mask="255.255.255.0"
-	ip="192.0.2.1"
+	# set this to your interface...
+	_if="hme0"
+
+	# ... and these will be set up automatically
+	ip=`ifconfig $_if | grep "inet " | awk '{print $2}'`
+	mask=`ifconfig $_if | grep "inet " | awk '{print $4}'`
+	net=`ifconfig $_if | grep "inet " | awk '{print $6}'`
 
 	setup_loopback
 
@@ -181,6 +184,24 @@
 
 	# Allow NTP queries out in the world
 	${fwcmd} add pass udp from ${ip} to any 123 keep-state
+
+	# If using DHCP, allow DHCP queries out in the world
+	# see if this interface is configured through DHCP
+	eval _test_if="\$ifconfig_${_if}"
+	case ${_test_if} in
+	[Dd][Hh][Cc][Pp])
+		if [ "$ip" = "0.0.0.0" ]; then
+			# Network is initializing
+			${fwcmd} add pass udp from ${ip} to any 67 keep-state
+			${fwcmd} add pass udp from any to ${net} 68 keep-state
+		else
+			# Network already is configured. Allow queries "any" queries
+			# because the DHCP server may have moved.
+			${fwcmd} add pass udp from ${ip} to any 67 keep-state
+			${fwcmd} add pass udp from any to ${ip} 68 keep-state
+		fi
+		;;
+	esac
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
--- rc.firewall-dhcp.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:
