Danny Rathjens wrote:
Dmitri wrote:
The problem with specifying an IP is that it may change, which breaks
the rules and requires an update (and detection as well). Event for a
static IP, that's an extra dependency to watch out for.
That's what variables in your firewall script are for.
Just re-run it when your network connection restarts:
EXTIF="eth0"
EXTIP=`ifconfig $EXTIF |perl -ne'print $1 if /inet addr:([\d.]+)/'`
iptables -A INPUT -j ACCEPT -i $EXTIF -p tcp -d $EXTIP --dport 80
Yes, but it's exactly the sort of hack I hoped to avoid. For a perfectly
simple expression, now I need to 1) detect that IP changed or connection
restarted, and 2) run the hack. There isn't supposed to be any firewall
script.
It's like SNAT vs. MASQUERADE - MASQUERADE works without any scripts or
reloads. Same can be done with other things which require reloading. The
less dynamic hacks in the system, the less of a nondeterministic mess it
would be.
Well, I guess the answer to my question is "no, there is no such
option". I'm half-considering implementing it myself, if I can find
heads and tails of it.
Thanks,
--Dmitri