On Thu, 13 May 2010 09:45:47 +1000 "Rod Whitworth" <glis...@witworx.com> wrote: > What is wrong with the old rule: > rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > being converted to: > pass in quick on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port > 8021 > put in a location above any other rule applying to $inf_if ?? > > The reason I queried whether the 4.7 construct was correct is that it > applies to traffic from any to any. Even my suggested rule would not > be universal. Maybe there's an ftp server on the LAN.
Yep, the 'pass in quick' with 'any to any' in the default pf.conf ruleset is bad juju, and hence the patch I posted. If deemed acceptable and committed, I'll patch update47.html accordingly. But to answer your question, the interface names such as "int_if" were intentionally removed since we can now create hardware independent rulesets by using interface groups. If you're overly accustomed to using interface names like '$int_if' it takes a bit to wrap your head around the new interface groups, but they're really cool. -- The OpenBSD Journal - http://www.undeadly.org
