Setting firewall symbolic constants
Walter
walterk1 at earthlink.net
Tue Mar 30 21:17:34 UTC 2010
Matthew Seaman wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>>Can these be set by the system automatically? Specifically
>>$firewall_simple_onet?
>>
>>
>If you switch to using PF rather than IPFW, this is very easy.
>
>In a PF ruleset, the name of an interface is expanded to a list of all
>of the IP numbers configured on it. So you'll frequently see rules like
>this:
>
>ext_if = "de0"
>[...]
>pass log on $ext_if proto tcp \
> from any to any port smtp \
> flags S/SA keep state
>
>You can also say $ext_if:network to mean the locally attached network on
>that inerface. Works with both IPv4 and IPv6.
>
>One important wrnkle -- normally the resolution from interface name to
>IP number happens just once, when the rules are initially loaded. If
>your interface has a dynamic address, simple enclose the i/f name in
>brackets, like so: ($ext_if) This causes PF to update the mapping as
>the IP number changes. It's less efficient, which is why it isn't
>usually done for a machine with fixed addresses, but that won't cause
>you any problems for typical DSL or even Cable speeds.
>
> Cheers,
>
> Matthew
>
>
>
Thanks, that's good to know, but I think I'll still plunge along
to work a solution for ipfw; it seems to be the default. And along
the way I can detect and assign both interfaces and addresses
automatically so I can make it work "magically" (crosses fingers)
on computers with different cards without me having to configure
them.
Walter
More information about the freebsd-questions
mailing list