From: "Uwe Dippel" <[EMAIL PROTECTED]> Sent: Wednesday, May 07, 2003 3:44 PM > Maybe this has been discussed earlier .. ? > Very new to pf I have that feeling that all those rulesets with > bindings to the interface to me seem less optimal than binding to an > IP-address. > Before I start writing my own stuff to parse the IP to pf instead of > the interface: What is the opinion of the people on this list?
pf filters on the IP layer, hence there is no "binding to if". What you seem to confuse is (updated) expanding of interface to its bound ip/ip6 addresses. It makes little difference if you have a static IP bound to your interface as pfctl will replace the ifname with the bound ip-adress(es) when loading the ruleset. However, if you write your static IP to your pf.conf you'll have to update one more file when changeing your IP on one interface (so it's not a good idea IMO). If you have an interface with a dynamic ip (say ppp-dul) you'll want to use the "(ifname)" feature (hook_establish()) which updates your ruleset whenever a new ip is assigned to the interface. Note that you'll have to specify the af in that case (to enable pf to choose the right address). I think it's better to use the interface name (with proper af spec) in your ruleset. I can't think of a case where I'd use the ip of a local interface. If you are uncertain what pfctl will make of your ruleset use "pfctl -nvf yourrules.conf" which will display the fully expanded ruleset with all ifname-conversions. Max
