On Fri, Nov 07, 2008 at 01:22:08PM +0100, Peter N. M. Hansteen wrote: > Unless we make some other unique identifier part of the way PF > evaluates rules (the MAC address comes to mind, but that too can be > changed in any modern operating system), there is no quick fix, other > than rewriting your rule set so it avoids 'on' criteria and other > hardware specifics wherever possible.
Free advice without a patch is, of course, worth the price, but: If there was a way of recording the MAC address assigned to each interface by the kernel, then on a subsequent reboot could the kernel read that file to ensure that previously seen interfaces were assigend the same number? On Linux (Debian), interfaces are all ethx no matter what vendor. The udev system is supposed to record coresponding MAC in a persistant rules file to prevent this problem. Of course, this doesn't seem to work on some boxes for drives, so that, for example, a boot fails if a USB stick is plugged in because it may be assigned the /dev/sdx that is supposed to be the root drive. This prompts hacks of mounting with LABEL or UUID. Perhaps pf could be configured with MAC addres instead of interface id. Sure the MAC address could be changed by the sysadmin, but does it get changed at random by the OS? Just some early-morning thoughts, for what their worth. Doug.
