Subject: Re: ipf problem
To: Torsten Sadowski <>
From: Laine Stump <>
List: netbsd-users
Date: 09/15/2004 19:48:43
At 03:06 PM 9/15/2004, Torsten Sadowski wrote:
>Thank you for the insight. This mean for me I can't use this approach for
>the router itself because the IP is dynamic.

You have two choices (well, you probably have more, and probably better 
than these, but these are the two that I've used):

1) You can use "any" for the local-side IP address. Especially for outgoing 
connections, this really isn't a security problem (unless you are concerned 
about someone logged into your router running a program that spoofs the 
source IP of packets it sends out)

2) You can make a template file for your ipf.conf, and a short script that 
runs when triggered by dhclient, and puts the new IP address into the 
proper places in the template, then reloads ipf.

(ipnat will automatically replace 0/32 in its config with the current IP of 
the interface being used. I don't know if ipf has a similar trick).