From: Tom E. <te...@sh...> - 2002-05-19 21:39:24
|
On Sun, 19 May 2002, John Andersen wrote: > > > On Sat, 18 May 2002, Tom Eastep wrote: > > > Now notice that you could also add the address to the second rule above > > and it would still work. Most people don't though because most people have > > dynamic IP addresses. With a dynamic address, it is better to use DNS > > tricks (like Bind 9 views) so that ftp.mydomain.dyndns.org resolves to > > 192.168.2.2 from the local lan (and from the firewall). That way, the > > first rule becomes a simple: > > > On this last point, of the un-reliability of hard-codeing a dhcp IP > in the last column... > > Thats a fairly sizeable problem for people with DMZs or who > run some services on internal machines. The usual suggestion > is to obtain a static ip. But failing that... > > As I understand it the shorewall syntax does not accept > an interface name here (eth0) because you have to specify > ip addresses to iptables, and you would have to fetch > and insert the current IP(s) in place of the interface > name. This would be good only till the IP changed. > > Is that a correct understanding? > Yes. > If so, could not "shorewall refresh" be used to > fetch that new IP, thereby allowing that command > to be run from the dhcp-client hooks option? > No -- rule changes require a complete restart as opposed to a refresh. As for the dhcp-client hooks thing -- went through that with Seawall and did NOT want to get into it again with Shorewall. In my view, the ideal firewall is one that you can start BEFORE you bring up your IP interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ te...@sh... |