Seattle Firewall

dhclient


I prefer to use dhclient from ISC for my DHCP client. I have modified the RedHat /sbin/ifup and /sbin/ifdown scripts to use this program rather than pump. When using a dynamic address on my internet connection, these scripts and script changes seal off my external interface before the interface is started and reconfigure my firewall after I've obtained an changed IP address.

In /sbin/ifup, I have replaced:

if /sbin/pump $PUMPARGS -i $DEVICE

with:

if /sbin/dhclient $DEVICE; then

and in /sbin/ifdown, I have replaced:

/sbin/pump -r -i ${DEVICE}

with:

kill -TERM `cat /var/run/dhclient.pid`

Note that the "`" characters in the preceding line are back single quotes (upper left of your QWERTY keyboard).

I have created the file /etc/dhclient-enter-hooks which contains:

if [ x$reason = xPREINIT ]; then

/sbin/seawall stop

fi

and /etc/dhclient-exit-hooks which contains:

if [ -n "`ifconfig eth1 | grep UP`" ]; then

if [ x$reason = xRENEW ] || [x$reason = xREBIND ] || \

[ x$reason = xREBOOT ] || [x$reason = xRENEW ]; then

if [ x$old_ip_address = x] ||[x$old_ip_address != x$new_ip_address ] || \

[ x$reason == xBOUND ] || [ x$reason = xREBOOT ]; then

if [ -n "`ipchains -L -n | grep seawall`" ]; then

/sbin/seawall restart

else

/sbin/seawall start

fi

fi

fi

fi

The interface using dhclient is eth0. I include the test for eth1 being up so that I don't try to start Seattle Firewall before my local interface is up. The rc.x entires created by chkconfig will take care of starting the firewall during boot.

Both the enter and exit hook files must be executable by root.


Last updated 5/7/2000 - Tom Eastep