# Dynamic firewall rules



## v0idnull (Dec 3, 2008)

The situation:
Limit certain services to my IP only. Except my IP is my ISP IP and not gauranteed. However I have dyndns.

My conceptual solution:
If service is accessed, run script to find out IP of my dyndns host, and allow that IP only, blocking all other IPs.

My problem:
Not a clue how to do this

Would prefer:
Websites with solutions/best practices rather than step-by-step instructions which teach me very little.

The FreeBSD handbook is nice in explaining the basics of IPFW but that's it. This isn't all that basic it would seem.


----------



## keramida@ (Dec 3, 2008)

v0idnull said:
			
		

> The situation:
> Limit certain services to my IP only. Except my IP is my ISP IP and not gauranteed. However I have dyndns.
> 
> My conceptual solution:
> If service is accessed, run script to find out IP of my dyndns host, and allow that IP only, blocking all other IPs.



Too complex.  I would go for something that filters connections by the _network interface_ they arrive on, or I would use the special 'me' keyword of ipfw, i.e.:


```
# Allow packets for which a state has been built.
    ${fwcmd} add check-state

    # For services permitted below.
    ${fwcmd} add pass tcp  from me to any established

    # Allow any connection out, adding state for each.
    ${fwcmd} add pass tcp  from me to any setup keep-state
    ${fwcmd} add pass udp  from me to any       keep-state
    ${fwcmd} add pass icmp from me to any       keep-state

    # allow everything from localhost->localhost
    ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0

    # allow everything from internal network machines
    ipfw add pass all from 192.168.1.0/24 to 192.168.1.0/24 via re0

    # ==================================================================

    # allow ssh connections from everyone else
    ipfw add pass tcp from any to me 22 via re0 setup keep-state

    # allow connections to the local web server
    ipfw add pass tcp from any to me 80 via re0 setup keep-state

    # ==================================================================

    # block everything else
    ipfw add deny ip from any to any
```

Note that there is no explicit IP address in the re0 rules that allow SSH (port 22) and HTTP (port 80) connections.


----------

