--- Dries Schellekens <[EMAIL PROTECTED]> wrote:
What is the suggested policy to do here ? flush ? simply -f ? nothing ?
(I have an ADSL with dynamic address)
The suggested policy is described in the official PF FAQ and in pf.conf(5): use parentheses around the interface.
Sorry, no clear answer. That means: nothing at ppp.linkup, then ?
Correct.
Parentheses imply flush ? Updating route ? Do I still need route flush before ppp -ddial ? Curious: what does it do with pf if tun0 is without IP-address (before lease) ? What with route ?
With a rule like nat on tun0 from any to any -> (tun0) pf watches the address as it changes on tun0.
pf doesn't have anything to do with routing. I've never worked with PPP here, but from some quick reads through the docs, you don't need to deal with it anyway. Just a single line for the default route in ppp.conf -- no messing with linkup and linkdown scripts.
Does it not have security implications running nat on a (temporarily) undefined interface ? Even worse: binat ?
If there's no address, nothing will match or be translated. No security issues.
ext_addr
The external (translation) address on the NAT gateway that packets
will be translated to. The external address can be specified as: [snip]
* The name of the external network interface in parentheses ().
This tells PF to update the rule if the IP address(es) on the
named interface changes.
Doesn't seem to answer the questions fully. If this was everything, we'd activate PF in rc.conf(.local); thereby loading the ruleset at boot. When tun0 comes up ('changes'); the ruleset will be reloaded with the new address. When tun0 goes down, the ruleset will be renewed with no IP; and when it comes up again, it will be renewed with the new IP.
Technically the ruleset isn't reloaded (not sure exactly what you had in mind here), but yes, pf will track the address when you use parentheses.
IWith respect to routing: should we use HISADDR in ppp.conf to update the route(s) or better ppp.linkup as hook ?
ppp.conf
The default gateway comes into view: Does it not make a good sense to delete the default gateway at linkdown ?
ppp handles it.
Any link to a document describing these in more detail will be appreciated (In the meanwhile I read the whole, new, FAQ. It is pretty silent on these topics and transitions),
I skimmed man pages and the sample files in /etc/ppp/ for this info, so I have no links. FYI, the recommendations you see for loading the pf ruleset in ppp.linkup come from use of pre-3.2 rules like this: nat on tun0 from any to any -> tun0
Without the parentheses, pfctl will try to get the address from tun0 when you load the ruleset. Since there is no address at system boot, pfctl will fail then. The workaround was to use ppp.linkup, so the address would be present.
Using something like nat on tun0 from any to any -> (tun0) removes the need to use ppp.linkup.
