Firewall Script Required for bootscripts
dagmar.wants at nospam.com
Wed Mar 24 08:42:37 PST 2004
On Tue, 2004-03-23 at 21:45, Ryan.Oliver at pha.com.au wrote:
> > and I've been avoiding
> > binding rules to IP address until I can think completely through what
> > happens when a DHCP-managed host has it's IP change. At the moment I
> > think I'm going with "most daemons break when this happens anyway, so
> > it's moot" but I'm hoping inspiration will strike.
> Shouldn't be any need to use an IP in the filtering, filter based on
> interfaces and ports only... Only time IP becomes important is when doing
Yes, but it's not going to be very useful if I've put in firewall hooks
that will only work properly for bastion firewalling and break the
functionality of the machine as a gateway filter. Anyway, I decided
last night I was on something of the right track with the permit_* and
revoke_* directives... I'm going to hack some more coherency into those
routines to allow for more granular rules to be set.
> Usually most daemons listen on *:port unless bound to an IP address
> in their conf (they just listen on a port) so just continue to function
> (existing sessions of course die).
Usually _old_ daemons bind to INADDR_ANY like that. Newer daemons
almost always have options to bind to a particular interface (thanks to
the more common use of multi-homed machines now). Afaik, already bound
services aren't guaranteed to notice anything has happened to the
interface until they try to write to it, _if_ they ever try.
> For ones that dont it would probably would be a trivial script to
> write to detect change in dhcp lease and restart affected network services.
It's actually _not_ that trivial to handle restarting affected network
service daemons, which is why I kinda wish we had a dependency hold loop
for services that require network functionality to be of use (like
apache) like I've heard it rumored that Gentoo does.
Thankfully it _is_ trivial to write a hook that would get us to that
point, using ISC's dhclient. Looking at the man pages gets you a lot
more detail, but basically, every time dhclient is invoked, it sets a
number of environment variables and then calls /sbin/dhclient script,
which in turn calls /etc/dhclient-enter-hooks at the outset, and
/etc/dhclient-exit-hooks at the end of what it does. This is where you
can stick things like scripts to update your RR entries with dynamic DNS
services like no-ip.org. (This is why I am baffled that some people
still use dhcpcd and dhcpd. Ted Lemon has made ISC's dhcp package into
an incredibly robust reference implementation of the protocol.)
The email address above is phony because my penis is already large enough, kthx.
AIM: evilDagmar Jabber: evilDagmar at jabber.org
More information about the hlfs-dev