I have a LAN. I have a firewall. I allow people w/ registered MACs to get 'net via a DHCP lease. I don't believe in allowing an entire subnet (say 10.0.0.0/24, for example) through the firewall. See the problem here?
The problem was, at the time, there was no easy way to execute some command every time a DHCP lease is given out. For all I know, the latest version of dhcpd incorporates this functionality. I wrote firewatch to do this. At its core, it tails the log file(s) and waits for a DHCP lease to be given out, then adds a set of firewall rules.
Initially, the rules were hardcoded into the script. This worked fine for a few machines. However, when people starting asking things like "hey, could you allow pr0nd through the firewall", editing the script became a real bitch (that also required killing and restarting the script.). I've since moved all the allowed protocols and ports to any external file that gets source everytime a machine gets added to the firewall. Since lease times are relatively short (in my setup anyway), changes will get populated to all machines within a reasonable amount of time.
I have had no problems with the script. Its run for nearly a month straight and has handled added rules for as many as 5 machines without doing anything stupid like eating up all my memory, adding 5000 incorrect rules, or randomly dieing.
Please note that this script is OLD and newer and better solutions exist, namely authpf.
As previously stated, I'm a bit anal about what I allow through my firewall. After I started writing firewatch, I realized that I needed to incorporate a way to remove rules as leases are expired. I soon discovered that rule removal was an equally ugly beast, so I moved this task elsewhere. Enter rule_reaper. rule_reaper's soul purpo