From roderick@magog.student.utwente.nl  Mon Aug  2 16:14:21 2004
Return-Path: <roderick@magog.student.utwente.nl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2F1ED16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  2 Aug 2004 16:14:21 +0000 (GMT)
Received: from magog.student.utwente.nl (magog.student.utwente.nl [130.89.162.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8CF7B43D62
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  2 Aug 2004 16:14:20 +0000 (GMT)
	(envelope-from roderick@magog.student.utwente.nl)
Received: from magog.student.utwente.nl (localhost [127.0.0.1])
	by magog.student.utwente.nl (8.13.1/8.13.1) with ESMTP id i72GEJCB066674
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 2 Aug 2004 18:14:19 +0200 (CEST)
	(envelope-from roderick@magog.student.utwente.nl)
Received: (from roderick@localhost)
	by magog.student.utwente.nl (8.13.1/8.13.1/Submit) id i72GEIQI066673;
	Mon, 2 Aug 2004 18:14:18 +0200 (CEST)
	(envelope-from roderick)
Message-Id: <200408021614.i72GEIQI066673@magog.student.utwente.nl>
Date: Mon, 2 Aug 2004 18:14:18 +0200 (CEST)
From: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [patch] Revamp rc.firewall to transparently support both DHCP and static configuration
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         69911
>Category:       conf
>Synopsis:       [patch] Revamp rc.firewall to transparently support both DHCP and static configuration
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 02 16:20:34 GMT 2004
>Closed-Date:    Wed Aug 04 06:22:37 GMT 2004
>Last-Modified:  Wed Aug 04 06:22:37 GMT 2004
>Originator:     Roderick van Domburg
>Release:        FreeBSD 5.2-CURRENT sparc64
>Organization:
University of Twente
>Environment:
System: FreeBSD magog.student.utwente.nl 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Mon Aug 2 06:16:33 CEST 2004 roderick@magog.student.utwente.nl:/usr/obj/usr/src/sys/MAGOG sparc64


	
>Description:
In the past, firewall support in DHCP environments has been lacking.
Manually editing rc.firewall upon every new networking configuration
is a hassle that keeps many users busy. Such users include roaming
laptop users as well as desktops in enterprise DHCP environments.

Additionally, many DHCP users are unsure which rules to use to
securely allow DHCP traffic.
	
>How-To-Repeat:
	
>Fix:
The attached patch is completely transparent in both DHCP and static
environments. Besides supporting roaming configurations, it has also
become easier to configure because it only needs the name of the
interface instead of the IP address, netmask and network. This has
the additional advantage that there is no need to edit both
/etc/rc.conf _and_ /etc/rc.firewall when a static network
configuration changes.

Roaming users only need to create a simple /etc/dhclient-exit-hooks
to reload the firewall when necessary, like so:

#!/bin/sh
if [ "${new_ip_address}" != "${old_ip_address}" ] ||
   [ "${new_broadcast_address}" != "${old_broadcast_address}" ] ||
   [ "${new_subnet_mask}" != "${old_subnet_mask}" ]; then
  ( /etc/rc.d/ipfw restart )
fi
	

--- rc.firewall-dhcp.patch begins here ---
--- rc.firewall.old	Mon Aug  2 17:30:42 2004
+++ rc.firewall	Mon Aug  2 17:30:19 2004
@@ -150,10 +150,13 @@
 	# against people from outside your own network.
 	############
 
-	# set these to your network and netmask and ip
-	net="192.0.2.0"
-	mask="255.255.255.0"
-	ip="192.0.2.1"
+	# set this to your interface...
+	_if="hme0"
+
+	# ... and these will be set up automatically
+	ip=`ifconfig $_if | grep "inet " | awk '{print $2}'`
+	mask=`ifconfig $_if | grep "inet " | awk '{print $4}'`
+	net=`ifconfig $_if | grep "inet " | awk '{print $6}'`
 
 	setup_loopback
 
@@ -181,6 +184,24 @@
 
 	# Allow NTP queries out in the world
 	${fwcmd} add pass udp from ${ip} to any 123 keep-state
+
+	# If using DHCP, allow DHCP queries out in the world
+	# see if this interface is configured through DHCP
+	eval _test_if="\$ifconfig_${_if}"
+	case ${_test_if} in
+	[Dd][Hh][Cc][Pp])
+		if [ "$ip" = "0.0.0.0" ]; then
+			# Network is initializing
+			${fwcmd} add pass udp from ${ip} to any 67 keep-state
+			${fwcmd} add pass udp from any to ${net} 68 keep-state
+		else
+			# Network already is configured. Allow queries "any" queries
+			# because the DHCP server may have moved.
+			${fwcmd} add pass udp from ${ip} to any 67 keep-state
+			${fwcmd} add pass udp from any to ${ip} 68 keep-state
+		fi
+		;;
+	esac
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
--- rc.firewall-dhcp.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: conf/69911: [patch] Revamp rc.firewall to transparently support
 both DHCP and static configuration
Date: Mon, 02 Aug 2004 18:28:20 +0200

 I once again managed to upload the wrong, older patch. This one has two 
 typos. "any to ${net}"  should be "any to ${net}:${mask}" and in the 
 comment underneath, there's one two "queries" too many.
 
 Duly sorry.
 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Wed Aug 4 06:22:01 GMT 2004 
State-Changed-Why:  
Closed at submitter's request (will be reworked and resubmitted). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=69911 
>Unformatted:
