Shorewall users - Oct 2002 - DHCP

Hello,

When my eth0 get it''s IP by DHCP and the IP will change do I then have 
to reload shorewall by hand or can it do this automatically ?

-- 
Groeten,
Peter

-- 
The port is disconnected.

---
--- Heb je een Sony Digital video camera ?
--- Kijk eens op http://www.dvin.org
--- Kijk ook op http://www.lindeman.org
--- ICQ 22383596
--- Uptime lindeman.org : 17 days, 4 hours and 19 minutes, 2 users 
logged in.

Peter Lindeman wrote:
> Hello,
> 
> When my eth0 get it''s IP by DHCP and the IP will change do I then
have
> to reload shorewall by hand or can it do this automatically ?
> 
Your DHCP client should have a mechanism for running scripts when the IP 
is renewed. There are a couple of examples at 
http://www.shorewall.net/seawall/dhclient.html -- they do a "seawall 
restart" where you will want "shorewall restart".

Note that you don''t always need to restart the firewall when the IP 
changes. If you don''t have any DNAT rules or if you set 
DETECT_DNAT_IPADDRS=No in /etc/shorewall/conf then a simple "shorewall 
refresh" is all that is required.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

First, I would like to thank Tom for this awesome firewall, and offering
a very high level of support, for a piece of product that is free.

I have a DHCP server running on the same linux box as shorewall.  By
default, I have my policys set up to reject all lan access to the
internet.  How would I get a list of IP''s that have been assigned by
the
dhcp server?  Then the trick is to write a sript that will run everytime
a new ip is assigned.  Any ideas or thoughts are welcome ... Thanks!

---
Aaron Axelsen
AIM: AAAK2
Email: axelseaa@amadmax.com
URL: www.amadmax.com
 
"It said, ""Insert disk #3,"" but only two will
fit!"
"One picture is worth 128K words."

> -----Original Message-----
> From: Aaron Axelsen 
> Sent: Friday, November 15, 2002 3:08 PM
> Subject: [Shorewall-users] DHCP
> 
> 
> First, I would like to thank Tom for this awesome firewall, 
> and offering a very high level of support, for a piece of
> product that is free.
> 
> I have a DHCP server running on the same linux box as shorewall.
> By default, I have my policys set up to reject all lan access
> to the internet.  How would I get a list of IP''s that have been 
> assigned by the dhcp server?  Then the trick is to write a sript
> that will run everytime a new ip is assigned.  Any ideas or
> thoughts are welcome ... Thanks!
I took a slightly different approach...

Define "known" and "unknown" DHCP scopes. Hosts that are
known get an ip
address within a range allowed internet access by shorewall. Hosts that are
unknown, get an ip address within a range not allowed internet access. Ex:
Given the following LAN: 192.168.9.0/24

192.168.9.0/25 - grant access
192.168.9.128/25 - do not allow access

...and the corresponding dhcpd.conf entry.

#############################################
# Network: 192.168.9.0/24, Excluded range 1-24
# Note: Firewall is configured to not grant
# access to internet for unknown dhcp clients.
# e.g. Ones that do not have a host entry below.
# 192.168.9.0/25 = Grant Internet Access
# 192.168.9.128/25 = No Internet Access
##############################################
subnet 192.168.9.0 netmask 255.255.255.0 {

    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.9.255;
    option routers 192.168.9.1;

       # Unknown clients get their address from
       # this  pool. Lease time: 1 hours
       pool {
          range 192.168.9.129 192.168.9.254;
          min-lease-time 1800;      # 30 Min
          default-lease-time 3600;  # 1 Hour
          max-lease-time 7200;      # 2 Hour''s
          allow unknown clients;
       }

       # Known clients get their address from
       # this  pool. Lease time: Inherit Global
       pool {
          range 192.168.9.25 192.168.9.126;
          deny unknown clients;
       }
}


######################################################
# HOSTS: Dynamic Assignments. Assign all "known hosts"
# below. Without an entry here, dynammically assigned
# ip address will come from the "unknown host" section
# of the defined address pools. e.g. No internet access
# will allowed. Global/Subnet options can be included
# to override any option specifed above.
######################################################

host reliant { hardware ethernet 00:e0:98:73:36:74; }