[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: Dynamic IP Filtering
From:       "David Jobes" <renegade () xscanners ! net>
Date:       2001-04-29 19:29:14
[Download RAW message or body]

these are the configs i use for my cable based nat system, they have worked
flawlessly for over 2 months now, hope the info helps, the ip has changed
since i have had this, by the rules have not, hope this helps.

hostname.fxp0
dhcp

ipnat.rules
rdr fxp2 192.168.1.0/24 port 80 -> 127.0.0.1 port 80 tcp
map fxp2 192.168.1.0/24 -> 0/32 portmap tcp/udp 6000:50000
map fxp2 192.168.1.0/24 -> 0/32

ipf.rules
#Interface Information
#
# fxp0 - External
# fxp1 - Internal
#-----------------------------------------------
# Group Setup
#
pass out from any to any

# Block the nasties
block in log quick on fxp2 proto tcp from any to any flags FUP
block in quick on fxp2 proto icmp from any to any icmp-type redir
block in log quick on fxp2 proto tcp/udp from any to any with short
block in log quick on fxp2 from any to any with ipopts head 100
block in log on fxp2 proto tcp from any to any flags S/SA head 200
block return-rst in log on fxp2 proto tcp from any to any flags S/SA
block return-rst in on fxp2 proto tcp from any to any port = auth flags S/SA

# Blocked private address from outside the firewall
block in log quick on fxp2 from 192.168.4.0/24 to any group 100
block in log quick on fxp2 from 127.0.0.1 to any group 100
block in log quick on fxp2 from 10.0.0.0/8 to any group 100
block in log quick on fxp2 from 172.16.0.0/12 to any group 100

# Block other nasties like unweilded udp and sunrpc
block in on fxp2 proto udp from any to any group 100
block in log on fxp2 proto udp from any to any port = sunrpc

# Block ICMP Inbound/Allow outbound but allow traceroute
pass out quick on fxp2 proto icmp from 192.168.1.0/24 to any keep state
block in quick on fxp2 fastroute proto udp from any to any port 33434 ><
33465

# Allow Well Known Services from internal hosts
pass in quick proto tcp/udp from any to any port = 53 keep state

# ssh connections from internal network
pass in on fxp1 proto tcp from 192.168.1.0/24 to 192.168.1.1/32 port = ssh
keep state
pass in on fxp1 proto tcp from 192.168.1.0/24 to 192.168.1.1/32 port = 321
keep state
pass in on fxp1 proto tcp from 192.168.1.0/24 to 192.168.1.1/32 port = 443
keep state

-----Original Message-----
From: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Laine Stump
Sent: Sunday, April 29, 2001 1:25 PM
To: Gary Barnden
Cc: ipfilter@coombs.anu.edu.au
Subject: Re: Dynamic IP Filtering


Gary Barnden <gary@braenet.com.au> writes:

> Periodically the IP address on interface fxp0 will change due to
> DHCP. How can i make IPF deal with Dynamic IP addressing as part of
> the rules set?
>
> Currently i achieve the desired result with various scripts which is not
ideal.

Assuming that you have those scripts run automatically by calling them
from dhclient-exit-hooks script, what isn't ideal about it? (If your
IP address has changed, the old state you're losing wouldn't have been
of any use anyway).

>
> How do other people cope with Dynamic IP addressing with IPF
>

In theory - see above (read the manpage for dhclient-script for
details). In practice, my ISP has repeatedly/consistently given me the
same IP address for the last 5 months, so I never got around to
putting the stuff into dhclient hooks. ;-)

[prev in list] [next in list] [prev in thread] [next in thread]