* Alan Hadsell wrote on Fri, Apr 19, 2002 at 07:08 -0500:
Steffen Dettmer <steffen@dett.de> writes:
But why not setting a rule on bootup with "ppp+"? Why the need to rewrite firewall rules if interfaces come up or go down?
The antispoofing rules, at least, need to be rewritten when the IP address changes.
AFAIK "antispoofing" means to drop packets with source addresses which come from the wrong interface. At least in a common configuration (internal LANs with static addressing and a dialup/DSL/cable uplink) I don't see why the antispoofing rules should change when the local IP address changes. And let me repeat, if you don't trust your ISP, you don't know if you get the correct IP assigned, but if you do, you know that the ISP router will route the correct packets (destination based). Well, and since the source addresses are unaffected by your local IP, nothing changes. Usually you may get just *any* IP assigned, and by that you can filter with any as local IP. Since at the last time we had such a thread and nobody had a situation requiring rule rewriting (not counting very exotic setups), I still think there is no need for such rewrites in a clean configuration. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.