On Tue, 5 Aug 2008 20:34:09 -0600
Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote:
> Howdy List?
>
> As some of you may have gathered from previous posts, I have been
> working on a pf configuration that will allow a gateway firewall
> machine to talk to two or more ISP services and allow for the
> differential routing of data connections from client's services
> both behind the firewall and on it (e.g. a TOR, HTTP server or other proxy).
>
> An additional complexity is introduced in that most prospective
> users of such a configuration are small to medium businessess that
> engage only DHCP services from ISPs. This means the IP address,
> default route and name servers associated with a particular service
> provider can (and do) change over the period the firewall gate
> is up for, moreover the lease times granted can change from time
> to time. Also, nameservers for most ISP are configured to only
> answer queries from the ISP's subnet(s) and the standard dhclient-
> script does not accomodate this.
>
> In order to make such a configuration work, I introduce some hacks
> into the dhclient-script such that when the dhclient processess
> associated with a particular interface are triggered to renew
> a lease, a piece of prolog code is called that touches the following
> configs:
>
> file data mod
>
> /etc/pf.conf gatewayIP
> /etc/resolv.conf nameservers (for default route)
> /etc/dhclient.conf nameservers (for dhclient routes)
This should NOT state dhclient.conf. It is, in fact dhcpd.conf that
is modified with the nameservers for dhclients on the internal net.
Dhu
> [routetable] default route for firewall
>
> To do this, I create a directory, /etc/pf, containing the following files:
>
> file purpose
>
> dhclient-script dhclient-script modified to call
> replall from
> add_new_routes() subroutine, and stub
> add_new_resolv_conf() as resolv.conf must
> only reference nameservers for the default
> route;
> slink'd to /sbin/dhclient-script.
> dhcpd.cnf.[interface] one for each internal interface
> to provision dhcpd services
> droute.IF define the firewall's default route interface
> pf.cnf template pf ruleset into which the
> specific
> interface gateways are inserted (replall looks
> for lines begining with ext_gw_{IFN} ).
> replall slink to compiled gprolog code hooked
> from
> dhclient-script that does the various
> manipulations.
> gplg/Makefile make for gprolog code
> gplg/dlib.pl prolog support code -- dlib==duncan's lib;)
> gplg/replall gprolog executable
> gplg/replall.pl gprolog source
>
>
> A completed working instance of this scheme can be found at:
>
> http://neotext.ca/RefR/pf.dhcp/
>
> It has been tested on a machine with 1 static and 1 DHCP gateway as
> well as on a machine with 2 DHCP gateways.
>
> And yes, I know that most of you will think I'm daft to use prolog for
> a task that could be done in sh/perl/python. It's really just a matter
> of what you are most comfortable with... if a good reason comes up I might
> recode it in C.
>
> Dhu
