Firewalling 90% complete & tested, questions about writing tone

Dagmar d'Surreal dagmar.wants at nospam.com
Sat May 1 13:12:55 PDT 2004


On Thu, 2004-04-29 at 18:16, Kelly Anderson wrote:

> It's not too hard to solve that problem.  Something along these lines
> will take care of it.  Have your iptables script write the interface's
> IP to /var/run/dhcpc/iptables-${IF_UNSECURE).info.  This is part of a
> script that I put in /etc/cron.hourly.  You can probably figure out how
> you'd want to incorporate it in your stuff.

This is one of the nearly unsolveable points I've got left over.  A tip:
if you use ISC's dhclient, you have /etc/dhclient-exit-hooks that gets
called everytime something DHCP-related happens, so you don't have to
put that code into a cron job.  Whatever you put into
/etc/dhclient-exit-hooks will be able to know about it the moment the
host's IP address changes.  If you're using a monolithic firewalling
script this will work, but I've not been able to come up with an easy
way to do the same thing for a modular rulesets in anything remotely
approaching an elegant fashion.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list