Setting firewall symbolic constants

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Mar 30 15:01:48 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/03/2010 13:52:57, Walter wrote:
> In the example firewall rule set in rc.firewall, there are
> the following lines:
> 
> # set these to your outside interface network
>    oif="$firewall_simple_oif"
>    onet="$firewall_simple_onet"
> 
> # set these to your inside interface network
>    iif="$firewall_simple_iif"
>    inet="$firewall_simple_inet"
> 
> Can these be set by the system automatically?  Specifically
> $firewall_simple_onet?
> 
> When the IP changes on the ISP's side, I'd like to
> have this detected and updated in the rules without my
> manual intervention.  Do I need to write a utility and
> run in crontab?  Or is there a better way?
> 
> I'm off-list, so please reply directly to this e-mail addy.

If you switch to using PF rather than IPFW, this is very easy.

In a PF ruleset, the name of an interface is expanded to a list of all
of the IP numbers configured on it.  So you'll frequently see rules like
this:

ext_if = "de0"
[...]
pass log on $ext_if proto tcp  \
     from any to any port smtp \
     flags S/SA keep state

You can also say $ext_if:network to mean the locally attached network on
that inerface.  Works with both IPv4 and IPv6.

One important wrnkle -- normally the resolution from interface name to
IP number happens just once, when the rules are initially loaded.  If
your interface has a dynamic address, simple enclose the i/f name in
brackets, like so: ($ext_if)  This causes PF to update the mapping as
the IP number changes.  It's less efficient, which is why it isn't
usually done for a machine with fixed addresses, but that won't cause
you any problems for typical DSL or even Cable speeds.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuyElMACgkQ8Mjk52CukIy6LQCePtDUIteOMTnUQVYBZ2eUogfU
nUgAn1U87/YBfSw/jBaP1nn9370zbzEN
=eUTt
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list