Shorewall users - Jan 2003 - DHCP Question

How do I configure my DHCP client to restart Shorewall when it obtains a
new IP address?

 

Blake

Blake:

With dhcpcd, it will call a script from the same directory called 
dhcpcd-ethX.exe,
x= client interface. Make or edit that file so, that it contains 
/sbin/shorewall/restart
Not too sure about the other dhcp clients.

Jerry Vonau





-----Original Message-----
From:	Parker Blake MIS [SMTP:bparker@alacare.com]
Sent:	Tuesday, January 21, 2003 08:24 AM
To:	Shorewall Users List
Subject:	[Shorewall-users] DHCP Question

How do I configure my DHCP client to restart Shorewall when it obtains a
new IP address?



Blake

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.shorewall.net
http://lists.shorewall.net/mailman/listinfo/shorewall-users

Hi Blake

At 08:23 21/01/03 -0600, Parker Blake MIS wrote:
>How do I configure my DHCP client to restart Shorewall when it obtains a
>new IP address?
I suppose it must depend on which dhcp client you choose to use, but with 
dhclient, you can do this by putting the required shorewall command(s) 
(probably just "shorewall restart") in the /etc/dhclient-exit-hooks
script.

cheers

Julian


-- 
jc@ljchurch.co.uk
www.ljchurch.co.uk

--On Tuesday, January 21, 2003 2:58 PM +0000 Julian Church 
<jc@ljchurch.co.uk> wrote:
> Hi Blake
>
> At 08:23 21/01/03 -0600, Parker Blake MIS wrote:
>> How do I configure my DHCP client to restart Shorewall when it obtains
a
>> new IP address?
>
> I suppose it must depend on which dhcp client you choose to use, but with
> dhclient, you can do this by putting the required shorewall command(s)
> (probably just "shorewall restart") in the
/etc/dhclient-exit-hooks
> script.
>
There is some old documentation at http://seawall.sf.net/dhclient.html 
about how to do this with Seawall. Very similar for Shorewall.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

This is the line I''d like to add to my rules file:

DNAT	net	local:jibber	tcp	6022

The plan being that the firewall will masquerade connections to the host
"jibber" on the local network.  Shorewall complains that I need to
specify an IP address for "jibber", however "jibber" gets
it''s IP from
DHCP.

I''m running a local DNS forwarder (dnsmasq), so "host jibber"
returns a
valid IP address.  Just seems that Shorewall can''t handle this.

Can I do what I want, without having to specify a static IP for the
DNAT-ed host?

- Colin

--On Sunday, February 23, 2003 06:51:55 PM -0500 Colin Viebrock 
<colin@easyDNS.com> wrote:
> This is the line I''d like to add to my rules file:
>
> DNAT	net	local:jibber	tcp	6022
>
> The plan being that the firewall will masquerade connections to the host
> "jibber" on the local network.  Shorewall complains that I need
to
> specify an IP address for "jibber", however "jibber"
gets it''s IP from
> DHCP.
>
> I''m running a local DNS forwarder (dnsmasq), so "host
jibber" returns a
> valid IP address.  Just seems that Shorewall can''t handle this.
>
> Can I do what I want, without having to specify a static IP for the
> DNAT-ed host?
>
No you cannot -- that''s an iptables/Netfilter restriction as explained
in
the Shorewall documentation.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

>> Can I do what I want, without having to specify a static IP for the
>> DNAT-ed host?
> 
> No you cannot -- that''s an iptables/Netfilter restriction as
explained in
> the Shorewall documentation.
Oops.  I missed that info when looking for an answer.

I suppose, if I really needed this functionality, I could change my
startup scripts to:

a) launch the DHCP server
b) launch the dnsmasq server
c) do a host lookup on "jibber" to get the IP address
d) run a sed script or something to write the shorewall rules file
e) fire up shorewall

Although, setting that box to a static IP would probably be easier in
the long run. :)

Thanks!

- Colin

--On Monday, February 24, 2003 11:57:03 AM -0500 Colin Viebrock 
<colin@easydns.com> wrote:
>>> Can I do what I want, without having to specify a static IP for the
>>> DNAT-ed host?
>>
>> No you cannot -- that''s an iptables/Netfilter restriction as
explained
>> in  the Shorewall documentation.
>
> Oops.  I missed that info when looking for an answer.
>
> I suppose, if I really needed this functionality, I could change my
> startup scripts to:
>
> a) launch the DHCP server
> b) launch the dnsmasq server
> c) do a host lookup on "jibber" to get the IP address
> d) run a sed script or something to write the shorewall rules file
> e) fire up shorewall
a) In /etc/shorewall/params lookup host "jibber" and set the variable 
JIBBER to it''s ip address.
b) In /etc/shorewall/rules, use $JIBBER.
>
> Although, setting that box to a static IP would probably be easier in
> the long run. :)
>
True.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net