I have a LAN. I have a firewall. I allow people w/ registered MACs to
get 'net via a DHCP lease. I don't believe in allowing an entire subnet
(say 10.0.0.0/24, for example) through the firewall. See the problem
here?
The problem was, at the time, there was no easy way to execute some
command every time a DHCP lease is given out. For all I know, the latest
version of dhcpd incorporates this functionality. I wrote firewatch to do
this. At its core, it tails the log file(s) and waits for a DHCP lease to
be given out, then adds a set of firewall rules.
Initially, the rules were hardcoded into the script. This worked fine for
a few machines. However, when people starting asking things like "hey,
could you allow pr0nd through the firewall", editing the script became a
real bitch (that also required killing and restarting the script.). I've
since moved all the allowed protocols and ports to any external file that
gets source everytime a machine gets added to the firewall. Since lease
times are relatively short (in my setup anyway), changes will get
populated to all machines within a reasonable amount of time.
Name Last modified Size Description
Parent Directory -
README.html 30-Jul-2006 15:12 4.4K
allowed_traffic 30-Jul-2006 15:12 62