Re: Firewalling a DHCP client the Right Way (TM)

To: Olaf Meeuwissen <olaf@epkowa.co.jp>
Cc: debian-firewall@lists.debian.org, debian-user@lists.debian.org
Subject: Re: Firewalling a DHCP client the Right Way (TM)
From: Stefan Srdic <linuxbox@telusplanet.net>
Date: Fri, 29 Mar 2002 02:04:09 -0700
Message-id: <[🔎] 20020329020409.55e587b1.linuxbox@telusplanet.net>
In-reply-to: <[🔎] 87vgbgoy2y.fsf@frodo.epkowa.co.jp>
References: <[🔎] 87vgbgoy2y.fsf@frodo.epkowa.co.jp>

On 29 Mar 2002 12:24:37 +0900
Olaf Meeuwissen <olaf@epkowa.co.jp> wrote:

> Dear .debs,
> 
> I have a DHCP client that receives a lot of its networking information
> from our DHCP servers.  Things like routers, mail and name servers.  I
> would like to put an iptables based packet filtering firewall on this
> client that by default drops everything unless explicitly allowed.
> 
> I set the default policy through a script in /etc/network/if-pre-up.d/
> and add logging of everything that is dropped as a result of policy by
> means of a script in /etc/network/if-up.d/.  So far no problems.
> 
> Now I am wondering how to organise setting up the rest of the rules so
> I don't go nuts.  If it weren't for DHCP, I would have just added more
> scripts in /etc/network/if-up.d/.  Of course, you need to take care of
> their ordering and cater to the possibility of running more than once
> if you have multiple interfaces, but that is manageable.
> 
> However, how do I cater to DHCP telling me that the IP address of the
> name server has changed, for example, or, tux forbid, the client's own
> IP address.  Any ideas on how to go about this are welcome.
> 
> Debian GNU/Linux 3.0
> kernel 2.4.18 (custom), iptables 1.2.5-7, dhcp-client 2.0pl5-7
> -- 
> Olaf Meeuwissen                            Epson Kowa Corporation, CID
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
> LPIC-2               -- I hack, therefore I am --                 BOFH
> 

I'm not sure if this is what your looking for but it might help.

You can use dhclient to re-run your iptables script after a DHCP release/renew cycle. SO when your lease is up and your network parameters change you renew your iptables rules to reflect the changes of your network.

Read the dhclient-script manual page for details :)

Here's a simple /etc/dhclient-exit-hooks script that works for me:

#!/bin/sh

logger -t dhclient-exit-hooks "Reason is $reason"

case "$reason" in
	RENEW)
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
	;;
	REBIND)
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
	;;
	BOUND)
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
	;;
	RELEASE)
	/etc/rc.d/init.d/iptables stop
esac

Stef


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Firewalling a DHCP client the Right Way (TM)
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

Prev by Date: Firewalling a DHCP client the Right Way (TM)
Next by Date: Re: Firewalling a DHCP client the Right Way (TM)
Previous by thread: Firewalling a DHCP client the Right Way (TM)
Next by thread: Re: Firewalling a DHCP client the Right Way (TM)
Index(es):
- Date
- Thread