Re: Setting firewall symbolic constants
Bob Hall wrote:
I use
onet=`ifconfig rl0 | grep inet | awk '{print $6}'`
where rl0 is the outward facing NIC on this gateway.
Thanks. But I think I like a method which allows me to get the
device names also, to allow a 'hands-off' configuring of the fw.
I'll keep your code for future reference, tho.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Setting firewall symbolic constants
In the example firewall rule set in rc.firewall, there are the following lines: # set these to your outside interface network oif=$firewall_simple_oif onet=$firewall_simple_onet # set these to your inside interface network iif=$firewall_simple_iif inet=$firewall_simple_inet Can these be set by the system automatically? Specifically $firewall_simple_onet? When the IP changes on the ISP's side, I'd like to have this detected and updated in the rules without my manual intervention. Do I need to write a utility and run in crontab? Or is there a better way? I'm off-list, so please reply directly to this e-mail addy. TIA. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Setting firewall symbolic constants
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/03/2010 13:52:57, Walter wrote: In the example firewall rule set in rc.firewall, there are the following lines: # set these to your outside interface network oif=$firewall_simple_oif onet=$firewall_simple_onet # set these to your inside interface network iif=$firewall_simple_iif inet=$firewall_simple_inet Can these be set by the system automatically? Specifically $firewall_simple_onet? When the IP changes on the ISP's side, I'd like to have this detected and updated in the rules without my manual intervention. Do I need to write a utility and run in crontab? Or is there a better way? I'm off-list, so please reply directly to this e-mail addy. If you switch to using PF rather than IPFW, this is very easy. In a PF ruleset, the name of an interface is expanded to a list of all of the IP numbers configured on it. So you'll frequently see rules like this: ext_if = de0 [...] pass log on $ext_if proto tcp \ from any to any port smtp \ flags S/SA keep state You can also say $ext_if:network to mean the locally attached network on that inerface. Works with both IPv4 and IPv6. One important wrnkle -- normally the resolution from interface name to IP number happens just once, when the rules are initially loaded. If your interface has a dynamic address, simple enclose the i/f name in brackets, like so: ($ext_if) This causes PF to update the mapping as the IP number changes. It's less efficient, which is why it isn't usually done for a machine with fixed addresses, but that won't cause you any problems for typical DSL or even Cable speeds. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuyElMACgkQ8Mjk52CukIy6LQCePtDUIteOMTnUQVYBZ2eUogfU nUgAn1U87/YBfSw/jBaP1nn9370zbzEN =eUTt -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Setting firewall symbolic constants
On Tue, Mar 30, 2010 at 07:52:57AM -0500, Walter wrote:
Can these be set by the system automatically? Specifically
$firewall_simple_onet?
I use
onet=`ifconfig if | grep inet | awk '{print $6}'`
where if is rl0 or em0 or whatever the outward facing interface is for
your system.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Setting firewall symbolic constants
Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can these be set by the system automatically? Specifically $firewall_simple_onet? If you switch to using PF rather than IPFW, this is very easy. In a PF ruleset, the name of an interface is expanded to a list of all of the IP numbers configured on it. So you'll frequently see rules like this: ext_if = de0 [...] pass log on $ext_if proto tcp \ from any to any port smtp \ flags S/SA keep state You can also say $ext_if:network to mean the locally attached network on that inerface. Works with both IPv4 and IPv6. One important wrnkle -- normally the resolution from interface name to IP number happens just once, when the rules are initially loaded. If your interface has a dynamic address, simple enclose the i/f name in brackets, like so: ($ext_if) This causes PF to update the mapping as the IP number changes. It's less efficient, which is why it isn't usually done for a machine with fixed addresses, but that won't cause you any problems for typical DSL or even Cable speeds. Cheers, Matthew Thanks, that's good to know, but I think I'll still plunge along to work a solution for ipfw; it seems to be the default. And along the way I can detect and assign both interfaces and addresses automatically so I can make it work magically (crosses fingers) on computers with different cards without me having to configure them. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Setting firewall symbolic constants
On Tue, Mar 30, 2010 at 04:17:22PM -0500, Walter wrote:
Can these be set by the system automatically? Specifically
$firewall_simple_onet?
My first response never showed up. Second try.
I use
onet=`ifconfig rl0 | grep inet | awk '{print $6}'`
where rl0 is the outward facing NIC on this gateway.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
