Yesterday I switched from using a single address for NAT to an address pool. I used the round-robin for the address pool with sticky-address in the pf file.
It seemed logical to me to add each IP address in the address pool to interface with ifconfig. I noticed a few minutes ago that I had forgotten to configure one of the addresses in the address pool with ifconfig. Yet it all seemed to be working just fine. So I ran a test. I looked to see which address in the pool it was using for a test computer. I deleted that address from the interface with ifconfig and then went to the test computer and used ssh to connect to this computer. It worked fine. And when I checked the environment variables, SSH_CLIENT showed the address. So I was connecting from an address that was not assigned to any interface! Did I see that correctly or am I halucinating? It is after 3 am here after all. So that leaves the obvious question of whether it is better to add the IP address to the interface or leave it off? Is there any advantage to doing it one way or the other? I'm still looking around for my copy of The Book of PF. Maybe someone borrowed it and didn't tell me. I just now skimmed through Secure Architectures with OpenBSD and didn't see anything about it there. I'll look more closely in a few minutes if I can stay awake much longer. Before I exhausted my /24 IP address block and had to start using NAT, I didn't define IP addresses on my firewall computer figuring it would make it more difficult for an attacker to detect, much less attack. It would be interesting to be able to have no IP address assigned to the interface and only the private IP address on the other interface. One other question. With the round-robin and sticky-address, it remembers and uses the same public IP address for everything from a particular private IP address. If I use a CIDR block, instead, then I can use source-hash to use the same public IP address for everything from a particular private IP address. Or I can use sticky-address with the random. Is there any advantage to using one over the other? I kind of like the idea of not using sticky-address at all and letting it choose a fresh address for every connection, but I'm concerned that it could lead to some problems. Eric Johnson
