Variable NFS mounts / firewall rules.
Hi, I have recently gotten around to setting up my laptop to play nicely with dhclient (not as easy as it sounds). I have a number of questions I should like to ask. I am going to provide a brief rundown of what I would like to know, and more detail, for those interested. 1. Why does dhclient.conf ``ignore'' the media directive? 2. Can I have /different/ NFS mounts, depending on the IP address dhclient assigns to me? 3. Can I have /different/ firewall rules, depending on the IP address dhclient assigns to me? And now for the more through version: Firstly, even though I specify ``media media 10base2/BNC'' in the correct manner in the /etc/dhclient.conf file, why does dhclient fail to switch the media to the BNC port? I have been searching through the dhclient-script file to no avail and the documentation is light on this issue. I have overcome the issue by putting ``/sbin/ifconfig ep0 media 10base2/BNC'' in /etc/start_if.ep0. Secondly, having been playing with the ``new'' /etc/rc.d stuff in 5-RELEASE I have started to wonder how I might go about setting up a nicely roaming laptop. When I'm at home I am assigned a static IP by the DHCP server, which serves as a way of determining my current location (although, if by chance I were assigned the same address by another DHCP server, I would run into troubles). When at home I want to have certain NFS mounts available to me (say, /usr/ports/distfiles and /usr/home.nfs). When I am roaming and there is no assigned address, I have /usr/home.ufs, which I want symlinked to /home to allow me to login. I synchronize /usr/home.ufs with the NFS home periodically. I have a local user account that I log on with whilst away from home. Previously, I did this with a nasty hack in /etc/dhclient-exit-hooks (a bit of grepping and gawking did the job to get the current IP, I compared it to what I was expecting then mounted exports accordingly). However, now that I have IPFIREWALL enabled this does not work, as the firewall rules are loaded /after/ dhclient-exit-hooks are executed (default to deny means there is no connectivity -- btw, how does dhclient communicate?) This led me to a second issue: while I am away, I want much more stringent firewall rules (i.e. deny almost all, allow me to establish out and allow DNS UDP requests). My question is therefore: is it possible that I could write either a) a new script to go in /etc/rc.d to perform different NFS mounting based on my ``location'' (i.e. IP address -- unless anybody else can think of a better, more robust way to do this (maybe some server checksum?)); or b) modify an existing script (probably mountcritremote?) to include this functionality. Regardless of which method might be chosen: would I use /etc/rc.conf to specify the options, or provide a custom configuration file in /etc that the new script would use? Furthermore, can the rc.firewall script be modified (or passed an argument) that causes different firewall rules to be loaded depending on my ``location'' (i.e. IP address, again)? If anybody can provide any insight into this problem, preferably with an idea of which files I might go modifying (please!) then I would do my best to come up with some solution which might be of benefit to others in a similar situation (if it exists). Sorry for such a bulky mail, I couldn't really find how else to cut it down. Many thanks! -lewiz. -- Welcome thy neighbor into thy fallout shelter. He'll come in handy if you run out of food. -- Dean McLaughlin. -| msn:[EMAIL PROTECTED] | jab:[EMAIL PROTECTED] | url:http://lewiz.net |- pgp0.pgp Description: PGP signature
Re: Variable NFS mounts / firewall rules.
lewiz [EMAIL PROTECTED] writes:
Hi,
I have recently gotten around to setting up my laptop to play nicely
with dhclient (not as easy as it sounds). I have a number of questions
I should like to ask. I am going to provide a brief rundown of what I
would like to know, and more detail, for those interested.
1. Why does dhclient.conf ``ignore'' the media directive?
2. Can I have /different/ NFS mounts, depending on the IP address
dhclient assigns to me?
3. Can I have /different/ firewall rules, depending on the IP address
dhclient assigns to me?
[ ]
No complete solution, just a few ideas to look into:
1. http://www.freebsd-support.de/misc/setnetparm/
I've never had the chance to use it myself, but it might help.
2. Use the automounter to mount NFS volumes on-demand. This way you will
not have to worry about mounting until you actually need to access the
volume. See amd(8).
3. ipfw supports the me keyword, to flexibly refer to your currently
assigned IP address.
4. Just in case it might help you, here is my /etc/dhclient-exit-hooks:
# nothing to do unless we're bound
case ${reason} in
BOUND | RENEW | REBIND | REBOOT )
if [ -n ${new_domain_name_servers} ]; then
if [ -z ${old_domain_name_servers} ] || [ x${old_ip_address} !=
x{$new_ip_address} ]; then
[ -x /etc/refresh-named ] /etc/refresh-named
${new_domain_name_servers}
[ -x /etc/set-time ] /etc/set-time
fi
fi
;;
esac
You should be able to restart your firewall and pass it an argument for
the ruleset in this way.
5. For more variables that are passed to dhclient-exit-hooks, see
dhclient-script(8).
5. You can further run ifconfig commands in /etc/start_if.INTERFACE NAME
(for example /etc/start_if.fxp0 ).
--
Dan Pelleg
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Variable NFS mounts / firewall rules.
On Tue, Jul 01, 2003 at 08:45:54AM -0400, Dan Pelleg wrote:
2. Use the automounter to mount NFS volumes on-demand. This way you will
not have to worry about mounting until you actually need to access the
volume. See amd(8).
That's a good idea I didn't think off :) I messed with amd(8) once
before and ran into trouble. I can see in this case it would be ideal,
and shall have a go at getting it to play nicely.
3. ipfw supports the me keyword, to flexibly refer to your currently
assigned IP address.
Yes, I had looked at this. However, I was meaning trying to have a
solution where a different set of firewall rules would be started based
on the assigned IP address.
4. Just in case it might help you, here is my /etc/dhclient-exit-hooks:
# nothing to do unless we're bound
case ${reason} in
BOUND | RENEW | REBIND | REBOOT )
if [ -n ${new_domain_name_servers} ]; then
if [ -z ${old_domain_name_servers} ] || [ x${old_ip_address} !=
x{$new_ip_address} ]; then
[ -x /etc/refresh-named ] /etc/refresh-named
${new_domain_name_servers}
[ -x /etc/set-time ] /etc/set-time
fi
fi
;;
esac
Yeah, I think I can see that this might even be a good place to
start/stop (stop if required, I haven't read amd(8) yet) amd from.
Also, I can set my symlinks in case the reason is not one of yours
listed.
5. You can further run ifconfig commands in /etc/start_if.INTERFACE NAME
(for example /etc/start_if.fxp0 ).
I use start_if.ep0 to set the media for my network card. Does this get
re sourced after dhclient has done it's magic? I was under the
assumption that it got executed /before/ dhclient, and would therefore
be of little use to set variables based on the output of dhclient... ?
Many thanks! You've given me some excellent ideas. I'll tell you how
I fare.
-lewiz.
--
In the long run, every program becomes rococo, and then rubble.
-- Alan Perlis
-| msn:[EMAIL PROTECTED] | jab:[EMAIL PROTECTED] | url:http://lewiz.net |-
pgp0.pgp
Description: PGP signature
Re: Variable NFS mounts / firewall rules.
On Tue, Jul 01, 2003 at 08:45:54AM -0400, Dan Pelleg wrote: 1. http://www.freebsd-support.de/misc/setnetparm/ I've never had the chance to use it myself, but it might help. I've checked this out briefly and it's geared more towards static setups, but I think DHCP can be configured to pretty much do everything this does (assuming I have control over each and every DHCP server... :) Again, thanks very much, -lewiz. -- If you're not very clever you should be conciliatory. -- Benjamin Disraeli -| msn:[EMAIL PROTECTED] | jab:[EMAIL PROTECTED] | url:http://lewiz.net |- pgp0.pgp Description: PGP signature
