Firewalling 90% complete & tested, questions about writing tone

Kelly and Jennifer Anderson kjanderson at comcast.net
Wed May 5 10:13:47 PDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dagmar d'Surreal wrote:
| On Thu, 2004-04-29 at 18:16, Kelly Anderson wrote:
|
|
|>It's not too hard to solve that problem.  Something along these lines
|>will take care of it.  Have your iptables script write the interface's
|>IP to /var/run/dhcpc/iptables-${IF_UNSECURE).info.  This is part of a
|>script that I put in /etc/cron.hourly.  You can probably figure out how
|>you'd want to incorporate it in your stuff.
|
|
| This is one of the nearly unsolveable points I've got left over.  A tip:
| if you use ISC's dhclient, you have /etc/dhclient-exit-hooks that gets
| called everytime something DHCP-related happens, so you don't have to
| put that code into a cron job.  Whatever you put into
| /etc/dhclient-exit-hooks will be able to know about it the moment the
| host's IP address changes.  If you're using a monolithic firewalling
| script this will work, but I've not been able to come up with an easy
| way to do the same thing for a modular rulesets in anything remotely
| approaching an elegant fashion.

Sorry I didn't reply to this sooner, but I've got a lot of irons in the
fire.

I'm not using dhclient, but instead dhcpcd.  My approach works for
either client.

What part of your code would break if you simply rerun your firwall
script?  K.I.S.S. is ultimately elegant when applied to firewalls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAmSDLEjhXNjo4omcRAooXAJ4m1JS+8D0uWfOm2ETOfCBGuA0rFgCeJb+k
Aa9ENGH2p2CUM8c3Z1BLx+0=
=ztHZ
-----END PGP SIGNATURE-----



More information about the hlfs-dev mailing list