Re: IP Chains fire up script
On Thu, Feb 01, 2001 at 03:49:22PM -0600, will trillich wrote:
...
> <dhcp-ignoramus>from what i've seen posted hither and yon, you
> can just add
>
> iface eth0 inet dhcp
>
> and you're off to the races.</ignoramus>
>
> would that do?
No:) This only brings up your interface with ip etc setup via dhcp.
You'll have to use up and down fields to startup the firewall, like:
iface eth0 inet dhcp
pre-up /sbin/ipchains -I input -j DENY -i eth1 && \
/sbin/ipchains -I input -j ACCEPT -i eth1 \
-s 0/0 67 -d 0/0 68 -p udp
up sleep 10 && \
/sbin/ipchains -D input -j ACCEPT -i eth1 \
-s 0/0 67 -d 0/0 68 -p udp >/dev/null 2>1 && \
/etc/dhcpc/dhcpcd-eth1.exe || true
post-down [ -e /usr/sbin/ipmasq ] && /usr/sbin/ipmasq || true
post-down /sbin/ipchains -D input -j ACCEPT -i eth1 \
-s 0/0 67 -d 0/0 68 -p udp >/dev/null 2>1 || true
post-down /sbin/ipchains -D input -j DENY -i eth1 >/dev/null 2>1\
|| true
The pre-up line will allow dhcp trafic to go over eth0,
The up line removes it, but starts up the firewall script,
The post-down commands remove the effects of the firewall script and
put up a restrictive fence just in case.
I've added a delay in the up line, because i've setup dhcpcd to call
upon the firescript (/etc/dhcpc/dhcpcd-eth1.exe) everytime it thinks
the ip-nrs change. Sometimes at startup it thinks is does, sometimes
it thinks it doesn't, but I've to make sure it *is* started, but twice
at the same time goes wrong, hence the delay.
carel
Reply to: