Firewall Script Required for bootscripts

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Mar 24 08:42:37 PST 2004


On Tue, 2004-03-23 at 21:45, Ryan.Oliver at pha.com.au wrote:
> 
> 
> 
> > and I've been avoiding
> > binding rules to IP address until I can think completely through what
> > happens when a DHCP-managed host has it's IP change.  At the moment I
> > think I'm going with "most daemons break when this happens anyway, so
> > it's moot" but I'm hoping inspiration will strike.
> 
> Shouldn't be any need to use an IP in the filtering, filter based on
> interfaces and ports only... Only time IP becomes important is when doing
> NAT...

Yes, but it's not going to be very useful if I've put in firewall hooks
that will only work properly for bastion firewalling and break the
functionality of the machine as a gateway filter.  Anyway, I decided
last night I was on something of the right track with the permit_* and
revoke_* directives... I'm going to hack some more coherency into those
routines to allow for more granular rules to be set.

> Usually most daemons listen on *:port unless bound to an IP address
> in their conf (they just listen on a port) so just continue to function
> (existing sessions of course die).

Usually _old_ daemons bind to INADDR_ANY like that.  Newer daemons
almost always have options to bind to a particular interface (thanks to
the more common use of multi-homed machines now).  Afaik, already bound
services aren't guaranteed to notice anything has happened to the
interface until they try to write to it, _if_ they ever try.

> For ones that dont it would probably would be a trivial script to
> write to detect change in dhcp lease and restart affected network services.

It's actually _not_ that trivial to handle restarting affected network
service daemons, which is why I kinda wish we had a dependency hold loop
for services that require network functionality to be of use (like
apache) like I've heard it rumored that Gentoo does.

Thankfully it _is_ trivial to write a hook that would get us to that
point, using ISC's dhclient.  Looking at the man pages gets you a lot
more detail, but basically, every time dhclient is invoked, it sets a
number of environment variables and then calls /sbin/dhclient script,
which in turn calls /etc/dhclient-enter-hooks at the outset, and
/etc/dhclient-exit-hooks at the end of what it does.  This is where you
can stick things like scripts to update your RR entries with dynamic DNS
services like no-ip.org.  (This is why I am baffled that some people
still use dhcpcd and dhcpd.  Ted Lemon has made ISC's dhcp package into
an incredibly robust reference implementation of the protocol.)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list