Kernel_Killer
January 13th, 2005, 15:37
So I finally got sick updating the gateway constantly, and dealing with downtime. All that I could find in the way of letting PF run with dynamic IPs was to use ()'s around the IF on the NAT lines. It doesn't want to work on anything else, so I'm guessing that I shouldn't have any issues. Has anyone dealt with PF and Dynamic IPs?
Strog
January 13th, 2005, 22:54
I've been using the parentheses around my external interface for a while now and it works great. Everyone should use it unless they have a static IP on that interface.
I like the example on the pf user's guide:
nat on tl0 from dc0:network to any -> (tl0)
dc0:network reads what subnet is actually on the interface. It makes the NAT rule totally dynamic.
Kernel_Killer
January 14th, 2005, 02:14
Yeah, I set it that way, just wondering if I needed to re-write my other rules that use that macro. I guess not if it's working for you. Now I just need to finish the script to auto-update my isakmpd.conf, and I'll have a virtual-static IP.
elmore
January 14th, 2005, 10:01
Jacek's pf book has a whole chapter on dynamic firewalling. It's pretty good to I might add.
Amicus
January 17th, 2005, 10:51
Jacek's pf book has a whole chapter on dynamic firewalling. It's pretty good to I might add.
Second edition? I've got the first edition of his book and was thinking about getting the second.
In mine, it's Chapter 9 Dynamic Rulesets. He talks about using a cronscript for different firewall rules during different times of the day, which he says may or may not be useful.
Then he talks of (interface) notation and Macro definition and how you can use pfctl -D macro=value to set for example $ext_if to go from xl0 to xl2. This could be useful if a route goes down. use ping -I to test the route, if 0 isn't returned set change the $ext_if macro to the working one
pfctl -D ext_if=xl2
pfctl -D 'ext_address=192.168.25.34'
He next speaks of tables and making skeletal rulesets with anchors. He seems to present anchors as the way to go for changing things and not reloading the ruleset. nat-anchor, rdr-anchor, binat-anchor, anchor filterrules, etc.
I dunno if the second edition has any more information...