Dynamic firewall rules

The situation:
Limit certain services to my IP only. Except my IP is my ISP IP and not gauranteed. However I have dyndns.

My conceptual solution:
If service is accessed, run script to find out IP of my dyndns host, and allow that IP only, blocking all other IPs.

My problem:
Not a clue how to do this

Would prefer:
Websites with solutions/best practices rather than step-by-step instructions which teach me very little.

The FreeBSD handbook is nice in explaining the basics of IPFW but that's it. This isn't all that basic it would seem.
 
v0idnull said:
The situation:
Limit certain services to my IP only. Except my IP is my ISP IP and not gauranteed. However I have dyndns.

My conceptual solution:
If service is accessed, run script to find out IP of my dyndns host, and allow that IP only, blocking all other IPs.

Too complex. I would go for something that filters connections by the network interface they arrive on, or I would use the special 'me' keyword of ipfw, i.e.:

Code:
    # Allow packets for which a state has been built.
    ${fwcmd} add check-state

    # For services permitted below.
    ${fwcmd} add pass tcp  from me to any established

    # Allow any connection out, adding state for each.
    ${fwcmd} add pass tcp  from me to any setup keep-state
    ${fwcmd} add pass udp  from me to any       keep-state
    ${fwcmd} add pass icmp from me to any       keep-state

    # allow everything from localhost->localhost
    ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0

    # allow everything from internal network machines
    ipfw add pass all from 192.168.1.0/24 to 192.168.1.0/24 via re0

    # ==================================================================

    # allow ssh connections from everyone else
    ipfw add pass tcp from any to me 22 via re0 setup keep-state

    # allow connections to the local web server
    ipfw add pass tcp from any to me 80 via re0 setup keep-state

    # ==================================================================

    # block everything else
    ipfw add deny ip from any to any

Note that there is no explicit IP address in the re0 rules that allow SSH (port 22) and HTTP (port 80) connections.
 
Back
Top