Re: write pf rules for acces concentrator server (pppoe)
On Mon, Mar 3, 2008 at 6:34 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Fratiman Vladut [EMAIL PROTECTED] [2008-03-01 23:16]: since there is no ng interface on OpenBSD I assume you use some other OS. which probably means you are doomed. On OpenBSD, you use interface groups for that, and clonable interfaces by default are in a group named by the interface base name, i. e. ppp for ppp0, ppp1, .. pppN. I don't know if and to which extend other OSs that ported pf have picked up interface groups. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam FreeBSD has ng interface. http://www.freebsdonline.com/content/view/452/468/ --Siju
Re: write pf rules for acces concentrator server (pppoe)
* Fratiman Vladut [EMAIL PROTECTED] [2008-03-01 23:16]: I have an pppoe server. How i can write pf rules for this situation, in order to specify any interface, ng0, ng1, . I see that isn't any possibility to use wildcard in macros, something like this: ng_if=ng*. Obviously isn't very easy to have an rule for every ng interface. How can be resolved? since there is no ng interface on OpenBSD I assume you use some other OS. which probably means you are doomed. On OpenBSD, you use interface groups for that, and clonable interfaces by default are in a group named by the interface base name, i. e. ppp for ppp0, ppp1, .. pppN. I don't know if and to which extend other OSs that ported pf have picked up interface groups. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: write pf rules for acces concentrator server (pppoe)
On 2008-03-02, Fratiman Vladut [EMAIL PROTECTED] wrote: Thanks ! Work very well. Now, how can configure the system, in order to make this changes, every time when boot. How cand add all ng interface, to ng group at boot time? What is an ng interface?
Re: write pf rules for acces concentrator server (pppoe)
Thanks ! Work very well. Now, how can configure the system, in order to make this changes, every time when boot. How cand add all ng interface, to ng group at boot time? scott wrote: see ifconfig(4) and the group group-name keyword (also applicable to hostname.if). Substitute the the group-name for the interface name in the applicable pf rule. One group-name based rule covers off all the member interfaces. :-) -Original Message- From: Fratiman Vladut [EMAIL PROTECTED] To: misc@openbsd.org Subject: write pf rules for acces concentrator server (pppoe) Date: Sun, 02 Mar 2008 00:10:50 +0200 Mailer: Thunderbird 2.0.0.12 (Windows/20080213) Delivered-To: [EMAIL PROTECTED] I have an pppoe server. How i can write pf rules for this situation, in order to specify any interface, ng0, ng1, . I see that isn't any possibility to use wildcard in macros, something like this: ng_if=ng*. Obviously isn't very easy to have an rule for every ng interface. How can be resolved?
Re: write pf rules for acces concentrator server (pppoe)
Ng interface is an netgraph node (virtual interface), like tun or tap, that is use by mpd4 daemon. Mpd4 act as acces concentrator, in order to give access to internet based on pppoe method. I use freebsd as SO, with pf firewall. This is why i post on OpenBSD mailing list, because is father of pf :). On 2008-03-02, Fratiman Vladut [EMAIL PROTECTED] wrote: Thanks ! Work very well. Now, how can configure the system, in order to make this changes, every time when boot. How cand add all ng interface, to ng group at boot time? What is an ng interface?
Re: write pf rules for acces concentrator server (pppoe)
On 2008-03-02, Fratiman Vladut [EMAIL PROTECTED] wrote: Ng interface is an netgraph node (virtual interface), like tun or tap, that is use by mpd4 daemon. Mpd4 act as acces concentrator, in order to give access to internet based on pppoe method. I use freebsd as SO, with pf firewall. This is why i post on OpenBSD mailing list, because is father of pf :). that's quite an important thing to forgot to mention... especially when you post to a list which is specifically about OpenBSD (there is a non-OS- specific PF list, btw). here's a description from our ifconfig(8) manual page: group group-name Assign the interface to a ``group''. Any interface can be in multiple groups. For instance, such a group could be used to create a hardware independent pf(4) ruleset (i.e. not one based on the names of NICs) using existing (egress, carp, etc.) or user-defined groups. Some interfaces belong to specific groups by default: - All interfaces are members of the all interface group. - Cloned interfaces are members of their interface family group. For example, a PPP interface such as ppp0 is a member of the ppp interface family group. - The interface(s) the default route(s) point to are members of the egress interface group. - IEEE 802.11 wireless interfaces are members of the wlan interface group. if you don't see something in your ifconfig manual, your OS probably doesn't support this feature.
Re: write pf rules for acces concentrator server (pppoe)
see ifconfig(4) and the group group-name keyword (also applicable to hostname.if). Substitute the the group-name for the interface name in the applicable pf rule. One group-name based rule covers off all the member interfaces. :-) -Original Message- From: Fratiman Vladut [EMAIL PROTECTED] To: misc@openbsd.org Subject: write pf rules for acces concentrator server (pppoe) Date: Sun, 02 Mar 2008 00:10:50 +0200 Mailer: Thunderbird 2.0.0.12 (Windows/20080213) Delivered-To: [EMAIL PROTECTED] I have an pppoe server. How i can write pf rules for this situation, in order to specify any interface, ng0, ng1, . I see that isn't any possibility to use wildcard in macros, something like this: ng_if=ng*. Obviously isn't very easy to have an rule for every ng interface. How can be resolved?
