# [solved] dynamic firewall rules...overkill

## bienchen

Hi there!

I have a few questions concerning dynamic firewall rules...

On this threat https://forums.gentoo.org/viewtopic-t-632120-highlight-ssid+firewall.html I read the first time of postup. Question: Is this called everytime I make changes to the network interface, e.g. switch from lan to wlan? Or only on boot?

Next thing...I am using my private notebook at work and at home and of course I need different firewall settings for the different locations. What would be the best way to detect where I am?

And last but not least, I want a totally paranoid firewall setting when I am in untrusted (unknown) wlans with my little notebook, how to detect that?

hope my questions are not to confusing,

greetings,

bienchen

P.S.: Answeres like "Yarr, ye filthy landlubber, scallywag! Ye should read this or that rotten treasuremap for more info on postup() or walk the plank!" are highly welcome (not insisting on pirate talk, thou)Last edited by bienchen on Wed May 28, 2008 11:43 am; edited 1 time in total

----------

## da5idii

the *up and *down functions  are called when an interface goes up or down. If you will read in the thread, there a mechanism described to detect what ssid you have, from that you just run the respective iptables script, in sudocode:

if(ssid == home)

      /path/to/home_iptables.sh

els if(ssid == work)

     /path/to/work_iptables.sh

else

     /path/to/psycho_iptables.sh

of course you need to check that the wifi interface is up what not, but that should get you started

----------

## bienchen

Ah, OK,

so first of all I have to decide whether I'm on cable or wireless-cable...

for wlans the ssid (essid?) should be the identifier and for lans?

Thanks for the hint on pre- and postup going with interfaces and not booting...

greetings,

bienchen

----------

## da5idii

there is a variable that the init scrips set for the interface that was (de)activated, if you read the /etc/conf/net.example it describes the behavior of the *up and *down scrips. the essid would seem the natural indicator to use, you could also use the MAC address of the access point or the dhcp server.

----------

## tuam

 *bienchen wrote:*   

> Next thing...I am using my private notebook at work and at home and of course I need different firewall settings for the different locations. What would be the best way to detect where I am?
> 
> And last but not least, I want a totally paranoid firewall setting when I am in untrusted (unknown) wlans with my little notebook, how to detect that?

 

Why do you need different firewall settings? Are you running services on your notebook that need protection?

FF,

Daniel

----------

## bienchen

Well, at home I'm running some services which I am not allowed to run at work. Therefore I can disable certain ports at work which I am using at home...

Question: How do I get the mac addresses of the dhcp server/ access point?

greetings,

bienchen

----------

## da5idii

the mac arddr of your wireless ap, run the command iwconfig. the addr of you dhcp is stored in a dhcp info file which in in /var some where. the exact location is dependent on your client, see the documentation for this info. dhcpcd puts the file in /var/lib/dhcpcd/dhcpcd-[network interface].info

----------

## bienchen

Well, that info file (equally to `dhcpcd -T <interface>`) does not give me the mac address of the dhcp server but my own! Checked this in several networks. But I figuered out another way:

1. Get gateway IP

2. Ping gateway

3. Get mac address of gateway using `arp`

Does this sound reasonable?

greetings,

bienchen

----------

## think4urs11

 *bienchen wrote:*   

> Does this sound reasonable?

 

Only in very easy networks.

- your DHCP server could be within the same network as your client but does not need to be the gateway

- your DHCP server might be located some hops behind the default gateway; in that case you'd see only the MAC of your GW, not of the DHCP server

----------

## bienchen

The idea was only to open some ports in my home network, close everything otherwise.

That means something like

if ($mac_addr = $warm_and_cosy); then # we are home

  open ports

else

  close everything

fi

Since my network at home is simple, this should be OK?

greetings,

bienchen

----------

## da5idii

the pseudo code look reasonable. i would agree that using an arp lookup to get the mac of the dhcp is a little suspicious, i was referring to the dhcp's ip addr, and after i looked at it using the dns domain would seem a good metric also, or a combination there of.

----------

## think4urs11

There might be other options for you to decide whether or not the DHCP server is yours or not

- use a uncommon lease time (3 days 8 hours 17 minutes)

- send a custom dhcp otion with the dhcp offer to the client

- use vendor class identifiers

- ...

----------

## bienchen

```

#!/bin/bash

if test -z $1; then

  echo "${0}:ERROR: Mac address required as argument"

  exit 1

fi

DHCP_INFO=/var/lib/dhcpcd/dhcpcd-eth0.info

# get ip address of DHCP server

DHCP_IP=`awk 'FS="'"'"'" {if ($1=="DHCPSID=") print $2}' $DHCP_INFO`

# fetch hw address of DHCP server

ping -c1 $DHCP_IP > /dev/null

DHCP_MAC=`arp -a $DHCP_IP | awk '{print $4}'`

#echo "DHCP-Server IP: $DHCP_IP with mac: $DHCP_MAC"

# act on address

if test "$DHCP_MAC" = "$1"; then

    # release ports

else

    # close ports

fi

```

I think this should be OK?

----------

## bienchen

Seems to work for me. Not a perfect solution but my services will only and only be up in my home network.

greetings,

bienchen

----------

