Howdy List?
As some of you may have gathered from previous posts, I have been
working on a pf configuration that will allow a gateway firewall
machine to talk to two or more ISP services and allow for the
differential routing of data connections from client's services
both behind the firewall and on it (e.g. a TOR, HTTP server or other proxy).
An additional complexity is introduced in that most prospective
users of such a configuration are small to medium businessess that
engage only DHCP services from ISPs. This means the IP address,
default route and name servers associated with a particular service
provider can (and do) change over the period the firewall gate
is up for, moreover the lease times granted can change from time
to time. Also, nameservers for most ISP are configured to only
answer queries from the ISP's subnet(s) and the standard dhclient-
script does not accomodate this.
In order to make such a configuration work, I introduce some hacks
into the dhclient-script such that when the dhclient processess
associated with a particular interface are triggered to renew
a lease, a piece of prolog code is called that touches the following
configs:
file data mod
/etc/pf.conf gatewayIP
/etc/resolv.conf nameservers (for default route)
/etc/dhclient.conf nameservers (for dhclient routes)
[routetable] default route for firewall
To do this, I create a directory, /etc/pf, containing the following files:
file purpose
dhclient-script dhclient-script modified to call replall from
add_new_routes() subroutine, and stub
add_new_resolv_conf() as resolv.conf must
only reference nameservers for the default
route;
slink'd to /sbin/dhclient-script.
dhcpd.cnf.[interface] one for each internal interface
to provision dhcpd services
droute.IF define the firewall's default route interface
pf.cnf template pf ruleset into which the specific
interface gateways are inserted (replall looks
for lines begining with ext_gw_{IFN} ).
replall slink to compiled gprolog code hooked from
dhclient-script that does the various
manipulations.
gplg/Makefile make for gprolog code
gplg/dlib.pl prolog support code -- dlib==duncan's lib;)
gplg/replall gprolog executable
gplg/replall.pl gprolog source
A completed working instance of this scheme can be found at:
http://neotext.ca/RefR/pf.dhcp/
It has been tested on a machine with 1 static and 1 DHCP gateway as
well as on a machine with 2 DHCP gateways.
And yes, I know that most of you will think I'm daft to use prolog for
a task that could be done in sh/perl/python. It's really just a matter
of what you are most comfortable with... if a good reason comes up I might
recode it in C.
Dhu
