Firewalling 90% complete & tested, questions about writing tone

Kelly and Jennifer Anderson kjanderson at
Wed May 5 10:13:47 PDT 2004

Hash: SHA1

Dagmar d'Surreal wrote:
| On Thu, 2004-04-29 at 18:16, Kelly Anderson wrote:
|>It's not too hard to solve that problem.  Something along these lines
|>will take care of it.  Have your iptables script write the interface's
|>IP to /var/run/dhcpc/iptables-${IF_UNSECURE).info.  This is part of a
|>script that I put in /etc/cron.hourly.  You can probably figure out how
|>you'd want to incorporate it in your stuff.
| This is one of the nearly unsolveable points I've got left over.  A tip:
| if you use ISC's dhclient, you have /etc/dhclient-exit-hooks that gets
| called everytime something DHCP-related happens, so you don't have to
| put that code into a cron job.  Whatever you put into
| /etc/dhclient-exit-hooks will be able to know about it the moment the
| host's IP address changes.  If you're using a monolithic firewalling
| script this will work, but I've not been able to come up with an easy
| way to do the same thing for a modular rulesets in anything remotely
| approaching an elegant fashion.

Sorry I didn't reply to this sooner, but I've got a lot of irons in the

I'm not using dhclient, but instead dhcpcd.  My approach works for
either client.

What part of your code would break if you simply rerun your firwall
script?  K.I.S.S. is ultimately elegant when applied to firewalls.
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the hlfs-dev mailing list