Thread: Ipf me statment

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    461
    Rep Power
    25

    Ipf me statment


    Is there some sort of me statment. Where me referse to the IP address that is being used by that particular device. Like lets say we have xl0 with the ip of 192.168.0.33 why do I need to type in that ip? What about dynamic networks where dhcp is used instead of static ips. THis could become a problem IMO.

    could I just use the from any to any and be just as secure?
  2. #2
  3. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,642
    Rep Power
    4247
    You shouldn't need to. ipf allows you to also type the name of the interface (in your case xl0). e.g.
    pass out quick on xl0 blah blah blah

    Also, see this:
    http://www.phildev.net/ipf/IPFques.html#ques9
    and this:
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    461
    Rep Power
    25
    well what I mean is something like

    pass out on xl0 proto tcp from 192.168.0.33 to any keep state

    the above will work if my ip was 192.168.0.33 however if it changes because on my network I use dhcp it could cause a problem. So should I use that 0/32 thing in your last post? or should I just use any to any.

    Also can I use that ftp proxy built into ipf if I am not using the firewall for nating. This is for the firewall script on my server. I am switching from iptables in linux to ipf on freebsd.
  6. #4
  7. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,642
    Rep Power
    4247
    Actually, here's a better way to do it. Most dhcp clients call /etc/dhclient-exit-hooks when a new lease is obtained (Create one, if it doesn't exist for you). This is a shell script and you can run a program to generate a new ipf rule file and reload ipf. Read man dhclient-script for more info on how this mechanism works. dhclient-script ends up calling dhclient-exit-hooks on the way out. Something like this ought to do it:
    Code:
    #!/bin/sh
    IP=`ifconfig xl0 | grep "inet\ " | awk '{print $2}'`
    
    if [ $IP = "0.0.0.0" ]; then
    	# Interface not yet configured. Just exit
    	exit 0
    fi
    
    # Run rule build here
    /usr/local/bin/rulebuild.pl $IP
    
    # Now reload ipf
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo

IMN logo majestic logo threadwatch logo seochat tools logo