Dynamic IP and pf?
Christopher McGee
chris at xecu.net
Fri Jan 14 12:23:29 PST 2005
Saad Kadhi wrote:
> On 14/01/2005 20:39 Christopher McGee wrote:
>
>> I have a cable modem that provides a dynamic IP address to the
>> outside interface of my firewall(5.3 with PF doing NAT). If my IP
>> address changes I have to run a script to update my dynamic dns and
>> reload my firewall rules based on the new IP address. Is there a
>> recommended way of doing this other than having cron check to see if
>> the IP addresss has changed?
>
> the PF version integrated into 5.3 supports dynamic IPs by putting
> parentheses around the interface name as explained in
> http://www.openbsd.org/faq/pf/filter.html :
> <excerpt>
> The name of a network interface in parentheses ( ). This tells PF to
> update the rule if the IP address(es) on the named interface change.
> This is useful on an interface that gets its IP address via DHCP or
> dial-up as the ruleset doesn't have to be reloaded each time the
> address changes.
> </excerpt>
>
> for example :
> my_if="hme0"
> [...]
> nat on $my_if proto tcp from any to any -> ($my_if)
> [...]
> pass in quick on $my_if proto tcp from any to ($my_if) port domain
> flags S/SAFR keep state
>
I have setup my pf ruleset using the parentheses. I didn't realize it
would auto update them. I thought I would still need to reload the
rules so that it re-reads the interface IP. I still have the dilemma of
dynamic dns and a couple of other scripts that I run, based on the IP,
that will require being run if the IP ever changes. I'm thinking there
should be something I can do in /etc/dhclient.conf maybe to run them?
Chris
More information about the freebsd-questions
mailing list