On Sat, 2001-12-08 at 02:18, [EMAIL PROTECTED] wrote: > On Wed, Dec 05, 2001 at 12:48:13AM -0600, Jor-el wrote: > > On Sat, 1 Dec 2001, David B Harris wrote: > > > > > On Sun, 2 Dec 2001 11:36:20 +1000, > > > [EMAIL PROTECTED] wrote: > > > > > > SNAT would be. However, you better make sure that each time the IP > > > address of your interface changes, your firewall script runs. You could > > > do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/. > > > But also please keep in mind that your firewall rules should be put in > > > place *before* any external interfaces are brought on-line. > > > > > Isnt this assuming that the internet connection uses ppp? > > Cablemodem, for instance, doesnt use ppp at all - a fact that seems to > > have escaped the maintainer of the dhcpcd package too. How would one solve > > this problem in the case of cablemodem? > > > I understand that you are using dhclient from a subsequent post of > yours. > > If you wanted to re-run part of your firewall to reconfigure for a > change in IP address with a cable connection then you could look into > the following: > > Firstly, I don't have a cable connection, but I did set one up on a > friends computer recently. I can't remember all the details now, but I > do remember that dhclient provided some hooks for doing things when > certain conditions were met. For example, it is possible with dhclient > to check the new IP address assigned and compare this to the old one and > only have the firewall script run if the new IP address has changed. > This would mean that even if dhclient lost the connection and had to > reconnect, it would rarely have to re-run the firewall script for a > cable connection (where IP rarely changes). > > Sorry I can't remember the name of the file to put these config details > in to do this stuff, but if you read the documentation with dhclient > then you will figure it out. Hey, I did :-) > > Anyway, I guess the point is, that you can do the same with dhclient, > and in a more configurable way.
I actually just wrote a script to do this exact thing because I no longer have a static cable modem ip. It's going to trigger in theory sometime tommorow night, so I can report back if it doesn't work perfectly. I rewrite my ipchains rules when my external interface changes ip's because I drop anything not coming or going from my external ip for added security. Dhclient has the dhclient-script (which I'm not sure if it runs by default or if it explicitly needs to be mentioned in the config file, I'll find out) which can call a script that you can make called dhclient-exit-hooks (and enter-hooks if you want one to run before hand). This script inherits the environment of the dhclient-script which includes things like $old_ip_address and $new_ip_address as well as the $reason the script was called. My exit hooks script cats a firewall rule set through SED to change my REPLACEIP placeholder to the $new_ip_address which then goes to ipchains-restore. I only run this if $old_ip_address != $new_ip_address. I also change my masquerade rules and update my dyndns.org account when things change. If you are interested I can post the actual script once I make sure it works. --mike
