Re: IPfw and DHCP

From: Bart Matthaei (bart@xs4nobody.nl)
Date: 08/21/01 

Date: Tue, 21 Aug 2001 13:00:16 +0200
From: Bart Matthaei <bart@xs4nobody.nl>
To: Peter Pentchev <roam@ringlet.net>

ipfw add deny all from 192.0.0.0/8 to any via xl1

nuff said :)

rgds,

Bart

On Tue, Aug 21, 2001 at 01:56:23PM +0300, Peter Pentchev wrote:
> On Tue, Aug 21, 2001 at 12:42:03PM +0200, Bart Matthaei wrote:
> > Run dhclient before you load the firewall rules..
> >
> > and use recv and via <if> instead of ip adresses :)
>
> recv and via <if> do not provide the security that an IP address
> provides. In particular, both 'recv' and 'via <if>' fail to protect
> against the following case:
>
> NIC 1 xl0 192.168.0.13 RFC1918 LAN
> NIC 2 xl1 128.128.128.128 public
>
> ipfw add allow any recv via xl1
>
> This would let a packet with a destination address of 192.168.0.13
> via your public interface. And believe me, the chances of such a
> packet appearing on the wire are not so slim these days :)
>
> A better solution would be to have dhclient run *after* the initial
> firewall setup (after the firewall rulesets are flushed), and
> define hooks for obtaining/renewing/expiring a lease, which add or
> remove firewall rules as appropriate. Unfortunately, I've never done
> DHCP hooks, and I have no idea on how exactly to provide those.
> (Maybe it's as simple as putting something similar to /sbin/dhclient-script
> into /etc/dhclient-exit-hooks?)
>
> G'luck,
> Peter
>
> --
> Nostalgia ain't what it used to be.
>
> > On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote:
> > > Hi All,
> > >
> > > Is there anyway at system startup and/or via a cron job to pass my DHCP
> > > ipaddress from my external interface to rc.firewall?
> > > So my firewall rules still work if my external DHCP lease gets a new
> > > ipaddress. 

-- 
Bart Matthaei           |       bart@xs4nobody.nl
                        |          +31 6 24907042
-------------------------------------------------
/* It's always funny until someone gets hurt..
 * (and then it's just hilarious)              */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Variable NFS mounts / firewall rules.
    ... with dhclient. ... Can I have /different/ NFS mounts, ... Can I have /different/ firewall rules, ... new script to go in /etc/rc.d to perform different NFS mounting based on ...
    (freebsd-questions)
  • Re: IPfw and DHCP
    ... > Run dhclient before you load the firewall rules.. ... both 'recv' and 'via ' fail to protect ... A better solution would be to have dhclient run *after* the initial ... DHCP hooks, and I have no idea on how exactly to provide those. ...
    (FreeBSD-Security)
  • Re: rc.order wrong (ipfw)
    ... Interface is configured for IP (manually or via DHCP) ... Firewall rules (ipfw or pf) are applied ...
    (freebsd-stable)
  • Re: Problem with ipfw rules
    ... defined as the absolute path to the file ... "It is possible to use two different ways to load custom rules for ipfw ... which contains firewall rules without any command-line options for ... A simple example of ruleset file can be following: ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Problem with ipfw rules
    ... Thanks, Bob. ... "It is possible to use two different ways to load custom rules for ipfw ... which contains firewall rules without any command-line options for ... A simple example of ruleset file can be following: ...
    (comp.unix.bsd.freebsd.misc)
Quantcast