|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Stay one step ahead of the competition. Evaluate and give feedback
on some of the hottest web development tools on the market today.
Make your opinion heard! Click
Here
|
|
#1
January 16th, 2006, 10:43 AM
|
|||
|
|||
|
Ipf me statment
Is there some sort of me statment. Where me referse to the IP address that is being used by that particular device. Like lets say we have xl0 with the ip of 192.168.0.33 why do I need to type in that ip? What about dynamic networks where dhcp is used instead of static ips. THis could become a problem IMO.
could I just use the from any to any and be just as secure?
|
|
#2
January 16th, 2006, 02:00 PM
|
||||
|
||||
|
You shouldn't need to. ipf allows you to also type the name of the interface (in your case xl0). e.g.
pass out quick on xl0 blah blah blah Also, see this: http://www.phildev.net/ipf/IPFques.html#ques9 and this:
__________________
Up the Irons What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home. "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest Down with Sharon Osbourne Puzzle of the Month solved by sizeablegrin, etienne141 and L7Sqr, superior C/C++ programmers of the month
|
|
#3
January 16th, 2006, 03:40 PM
|
|||
|
|||
|
well what I mean is something like
pass out on xl0 proto tcp from 192.168.0.33 to any keep state the above will work if my ip was 192.168.0.33 however if it changes because on my network I use dhcp it could cause a problem. So should I use that 0/32 thing in your last post? or should I just use any to any. Also can I use that ftp proxy built into ipf if I am not using the firewall for nating. This is for the firewall script on my server. I am switching from iptables in linux to ipf on freebsd.
|
|
#4
January 16th, 2006, 04:17 PM
|
||||
|
||||
|
Actually, here's a better way to do it. Most dhcp clients call /etc/dhclient-exit-hooks when a new lease is obtained (Create one, if it doesn't exist for you). This is a shell script and you can run a program to generate a new ipf rule file and reload ipf. Read man dhclient-script for more info on how this mechanism works. dhclient-script ends up calling dhclient-exit-hooks on the way out. Something like this ought to do it:
Code:
#!/bin/sh
IP=`ifconfig xl0 | grep "inet\ " | awk '{print $2}'`
if [ $IP = "0.0.0.0" ]; then
# Interface not yet configured. Just exit
exit 0
fi
# Run rule build here
/usr/local/bin/rulebuild.pl $IP
# Now reload ipf
|
|
| Viewing: Dev Shed Forums > Operating Systems > BSD Help > Ipf me statment |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
