Re: IP Chains fire up script

[Carel Fellinger <cfelling@iae.nl>]

On Thu, Feb 01, 2001 at 03:49:22PM -0600, will trillich wrote:
...
> <dhcp-ignoramus>from what i've seen posted hither and yon, you
> can just add
> 
> 	iface eth0 inet dhcp
> 
> and you're off to the races.</ignoramus>
> 
> would that do?

No:) This only brings up your interface with ip etc setup via dhcp.
You'll have to use up and down fields to startup the firewall, like:

iface eth0 inet dhcp
        pre-up          /sbin/ipchains -I input -j DENY -i eth1 && \
                        /sbin/ipchains -I input -j ACCEPT -i eth1 \
                                        -s 0/0 67 -d 0/0 68 -p udp
        up              sleep 10 && \
                        /sbin/ipchains -D input -j ACCEPT -i eth1 \
                            -s 0/0 67 -d 0/0 68 -p udp >/dev/null 2>1 && \
                        /etc/dhcpc/dhcpcd-eth1.exe || true
        post-down       [ -e /usr/sbin/ipmasq ] && /usr/sbin/ipmasq || true
        post-down       /sbin/ipchains -D input -j ACCEPT -i eth1 \
                            -s 0/0 67 -d 0/0 68 -p udp >/dev/null 2>1 || true
        post-down       /sbin/ipchains -D input -j DENY -i eth1 >/dev/null 2>1\
                        || true

The pre-up line will allow dhcp trafic to go over eth0,
The up line removes it, but starts up the firewall script,
The post-down commands remove the effects of the firewall script and
put up a restrictive fence just in case.

I've added a delay in the up line, because i've setup dhcpcd to call
upon the firescript (/etc/dhcpc/dhcpcd-eth1.exe) everytime it thinks
the ip-nrs change. Sometimes at startup it thinks is does, sometimes
it thinks it doesn't, but I've to make sure it *is* started, but twice
at the same time goes wrong, hence the delay.


carel