Hi,
I'm using interface groups to avoid having to maintain lists of interfaces.
I can have nice and simple things like this:
# allow outgoing
pass out quick on external keep state
# allow outgoing from firewalled vlans:
pass in quick on firewalled keep state
instead of maintaining lists like:
$external = "{ ixl0, ixl1 }"
$firewalled_vlans = "{ vlan2, vlan3 etc }"
This works great, but when I want to do rules like this:
pass in quick on vlan2 proto tcp from vlan2:network to vlan2 port bgp
There are two things i'm missing:
Firstly, during list expansion, is there a way of substituting something
for the current item? - i.e:
pass in quick on { vlan2, vlan3 } proto tcp from XXX:network to XXX port bgp
..where XXX becomes the interface from the list for that rule?
Secondly, is there a way of doing :network on an interface group, or
expanding it out in to a list or something?
i.e I want to effectively do this:
pass in quick on transit proto tcp from transit:network to transit port bgp
.. where "transit" is an interface group.
Is there a way of taking an interface group and dynamically assigning the
interface names from that group and assigning them to a list?
Currently, the only way I can find of doing these kind of rules is to go
back to hard-coding interface names, like:
pass in quick on vlan2 proto tcp from vlan2:network to vlan2 port bgp
pass in quick on vlan3 proto tcp from vlan3:network to vlan3 port bgp
pass in quick on vlan4 proto tcp from vlan4:network to vlan4 port bgp
when I really want something dynamic like:
pass in quick on transit proto tcp from transit:network to transit port bgp
pass in quick on peering proto tcp from peering:network to peering port bgp
pass in quick on linknet proto tcp from linknet:network to linknet port bgp
Am I missing a neat way of doing this?
Thanks!
Ian
