Matthew Seaman wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Can these be set by the system automatically? Specifically
$firewall_simple_onet?
If you switch to using PF rather than IPFW, this is very easy.
In a PF ruleset, the name of an interface is expanded to a list of all
of the IP numbers configured on it. So you'll frequently see rules like
this:
ext_if = "de0"
[...]
pass log on $ext_if proto tcp \
from any to any port smtp \
flags S/SA keep state
You can also say $ext_if:network to mean the locally attached network on
that inerface. Works with both IPv4 and IPv6.
One important wrnkle -- normally the resolution from interface name to
IP number happens just once, when the rules are initially loaded. If
your interface has a dynamic address, simple enclose the i/f name in
brackets, like so: ($ext_if) This causes PF to update the mapping as
the IP number changes. It's less efficient, which is why it isn't
usually done for a machine with fixed addresses, but that won't cause
you any problems for typical DSL or even Cable speeds.
Cheers,
Matthew
Thanks, that's good to know, but I think I'll still plunge along
to work a solution for ipfw; it seems to be the default. And along
the way I can detect and assign both interfaces and addresses
automatically so I can make it work "magically" (crosses fingers)
on computers with different cards without me having to configure
them.
Walter
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
