Oddly this does not appear to have made it thru... Howdy List?
As some of you may have gathered from previous posts, I have been working on a pf configuration that will allow a gateway firewall machine to talk to two or more ISP services and allow for the differential routing of data connections from client's services both behind the firewall and on it (e.g. a TOR, HTTP server or other proxy). An additional complexity is introduced in that most prospective users of such a configuration are small to medium businessess that engage only DHCP services from ISPs. This means the IP address, default route and name servers associated with a particular service provider can (and do) change over the period the firewall gate is up for, moreover the lease times granted can change from time to time. Also, nameservers for most ISP are configured to only answer queries from the ISP's subnet(s) and the standard dhclient- script does not accomodate this. In order to make such a configuration work, I introduce some hacks into the dhclient-script such that when the dhclient processess associated with a particular interface are triggered to renew a lease, a piece of prolog code is called that touches the following configs: file data mod /etc/pf.conf gatewayIP /etc/resolv.conf nameservers (for default route) /etc/dhclient.conf nameservers (for dhclient routes) [routetable] default route for firewall To do this, I create a directory, /etc/pf, containing the following files: file purpose dhclient-script dhclient-script modified to call replall from add_new_routes() subroutine, and stub add_new_resolv_conf() as resolv.conf must only reference nameservers for the default route; slink'd to /sbin/dhclient-script. dhcpd.cnf.[interface] one for each internal interface to provision dhcpd services droute.IF define the firewall's default route interface pf.cnf template pf ruleset into which the specific interface gateways are inserted (replall looks for lines begining with ext_gw_{IFN} ). replall slink to compiled gprolog code hooked from dhclient-script that does the various manipulations. gplg/Makefile make for gprolog code gplg/dlib.pl prolog support code -- dlib==duncan's lib;) gplg/replall gprolog executable gplg/replall.pl gprolog source A completed working instance of this scheme can be found at: http://neotext.ca/RefR/pf.dhcp/ It has been tested on a machine with 1 static and 1 DHCP gateway as well as on a machine with 2 DHCP gateways. And yes, I know that most of you will think I'm daft to use prolog for a task that could be done in sh/perl/python. It's really just a matter of what you are most comfortable with... if a good reason comes up I might recode it in C. Dhu