Subject: Re: auto-update ipf.conf
To: Matt Herzog <mherzog@attbi.com>
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
List: netbsd-help
Date: 07/08/2002 00:50:54
On 2002-07-07 16:02 +0000, Matt Herzog wrote:
> Hi All.
>
> I'm trying to find a safe way to update my ipf.conf file automatically when
> I get a new IP address from my dhcp server. I seem to keep the same IP for
> up to a year sometimes so this is not a critical thing. I just feel like I
> ought to be able to do it.
Easy to fix. Just don't filter based on IP address. My rules for
ipfilter always use the interface for filtering instead of explicit IP
addresses, as shown below:
block in log from any to any
block out log from any to any
# Allow everything on lo0.
pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
pass out quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
# Handle local ISP silliness.
block in quick proto igmp from any to any
block in quick proto pim from any to any
block in quick proto ospf from any to any
# Block private net addresses on dialup link.
block in log quick on tun0 from 10.0.0.0/8 to any
block in log quick on tun0 from 172.16.0.0/12 to any
block in log quick on tun0 from 192.168.0.0/16 to any
...