Setting firewall symbolic constants
m.seaman at infracaninophile.co.uk
Tue Mar 30 15:01:48 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 30/03/2010 13:52:57, Walter wrote:
> In the example firewall rule set in rc.firewall, there are
> the following lines:
> # set these to your outside interface network
> # set these to your inside interface network
> Can these be set by the system automatically? Specifically
> When the IP changes on the ISP's side, I'd like to
> have this detected and updated in the rules without my
> manual intervention. Do I need to write a utility and
> run in crontab? Or is there a better way?
> I'm off-list, so please reply directly to this e-mail addy.
If you switch to using PF rather than IPFW, this is very easy.
In a PF ruleset, the name of an interface is expanded to a list of all
of the IP numbers configured on it. So you'll frequently see rules like
ext_if = "de0"
pass log on $ext_if proto tcp \
from any to any port smtp \
flags S/SA keep state
You can also say $ext_if:network to mean the locally attached network on
that inerface. Works with both IPv4 and IPv6.
One important wrnkle -- normally the resolution from interface name to
IP number happens just once, when the rules are initially loaded. If
your interface has a dynamic address, simple enclose the i/f name in
brackets, like so: ($ext_if) This causes PF to update the mapping as
the IP number changes. It's less efficient, which is why it isn't
usually done for a machine with fixed addresses, but that won't cause
you any problems for typical DSL or even Cable speeds.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-questions