Subject: Re: IPFiler ( ipf ) for dial-up and LAN
To: R. C. Dowdeswell <elric@imrryr.org>
From: Steven M. Bellovin <smb@research.att.com>
List: port-i386
Date: 04/15/2002 00:01:20
In message <20020415035837.00D56174D2@arioch.imrryr.org>, Roland Dowdeswell wri
tes:
>
>On 1018840830 seconds since the Beginning of the UNIX epoch
>David Forrai wrote:
>>
>>I was trying to make it such that when my machine booted it was ready to forw
>a
>>rd
>>packets after dial-up without manual intervention (i.e. restarting ipfilter).
>>
>>As for the other statements regarding security, read the subject line: "for
>>dial-up".  In a dial-up situation you don't have to worry about packet forwar
>d
>>ing
>>before firewalling because dial-up is an on demand process that occurs after 
>b
>>oot.
>
>What I typically do for my dial-up box is that since the IP address
>is assigned dynamically and I want the packet filter rules and NAT
>rules to depend on the address, I set it all up in /etc/ppp/ip-up
>and destroy it all in /etc/ppp/ip-down.  I believe that pppd(8)
>guarantees that the TRT happens, because it processes no packets
>until /etc/ppp/ip-up exits.

At least for NAT, all you need to run is 'ipf -y'.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com