Date: Sat, 04 Jul 1998 00:50:43 -0600
From: "Aaron D. Gifford" <agifford@infowest.com.>
To: Louie <louie@sunra.csci.unt.edu.>
Subject: Re: ipfw with ppp -alias setup
Cc: security@FreeBSD.ORG
On my home FreeBSD box, I use ipfw filters as well. Instead of running rc.firewall every
time I connect to my ISP, I use the /etc/ppp/ppp.linkup to execute my own custom ipfw
script for me automatically. Here's what I've been using in /etc/ppp/ppp.linkup:
MYADDR:
delete ALL
add 0 0 HISADDR
! sh -c "/bin/sh /etc/rc.firewall &"
I've basicall gutted rc.firewall and rewrote many parts for my own setup. I use
ppp.linkup to execute it every time I establish a connection to my ISP. Near the top of
my custom rc.firewall script is this:
ip=`/usr/bin/netstat -in | perl -ne 'print $1 if (
/^tun0\s+[0-9]+\s+[0-9\.]+\s+([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+/
);'`
(I hope my mail program doesn't wrap the perl expression line -- it is rather long)
It basically runs the 'netstat -in' command and then looks at the output for a line like:
tun0 1500 10.2.6 10.2.6.112 0 0 0 0 0
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
The perl expression grabs the IP address (in the above line that would be '10.2.6.112')
and spits it back out to be assigned to the 'ip' shell script variable, which I use
extensively later on in my own rc.firewall script.
Every time my modem connects, my firewall setup is automatically reset and updated for my
new IP address.
I haven't tried to see if it is possible to pass MYADDR as a parameter to the script in
/etc/ppp/ppp.linkup. That might work too, but since I have a working setup for now, I
haven't been motivated to change things to find out.
I don't know if this is of any use to you in your situation, esp. since you mentioned that
this sort of thing is not what you were looking for or asking.
Aaron out.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
