[Leaf-devel] dhclient, rc.pf and psentry in harmony

Thu, 05 Apr 2001 16:46:49 -0700 

Howdy,

        I've been upgrading to 2.9.8/2.0.36, and I finally decided to try out
Matthew Schalit's rc.pf script.  I'd like to present to the developers
what I worked out before I post the linuxrouter.org, to flush out any
errors.  I decided to figure out how to allow for dhcp, rc.pf and
psentry to exist in harmony.  This is my story...

dhclient calls dhclient-script with enviroment variables for every dhcp
thing you could want.  Try this:  in the dhclient-script BOUND section,
after gateway routing add:
printenv > /root/dhclient.env
and check the results to get all of the available variables.

Since dhclient-script is called when the IP address changes, it seems a
natural place to call rc.pf.  So, in the BOUND and TIMEOUT sections,
right after the gateway routing, I put
a simple
/etc/rc.pf start $new_dhcp_server_identifier $new_ip_address

This way, every time the server or client dhcp address changes, it will
get updated.  Then, in rc.pf, I set

DHCP_C="$3"
DHCP_S="$2"

This lets you update the firewall while supplying the correct addresses
manually.

And of course
IPI="$DHCP_C"

As mentioned in previous posts, we need to be able to talk with the dhcp
server, so after the dns:

$E "Dhcp-1:"; $FW -O -a accept -W eth0 -P udp -S $IPX/32 68 -D 0/0 67 -o
$E "Dhcp-2:"; $FW -I -a accept -W eth0 -P udp -S $DHCP_S/24 67 -D IPX/32
68 -o

NOTE:  I used a /24 instead of /32 with DHCP_S since my server seems to
always stay on the same subnet but does occasionally change.  This way,
when the PC goes to get a new address, it allows its old address and a
subnet of the server address.  Then the call to rc.pf will reset the
firewall rules to the correct new values (hopefully).

I also realized, in paranoia, that if the IP address changes, portsentry
wouldn't have the correct ignore ip address for the external nic, so in
dhclient-script, after the rc.pf calls, I added:
/etc/init.d/psentry stop
rm /var/psentry/portsentry.ignore
/etc/init.d/psentry start

That forces psentry to make a new portsentry.ignore file.

Thanks for listening.  Any thoughts or problems forseen?  Also, that
rc.pf is a great script, Matt - thank you for your work.

        - Jon

_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to