Isn't there a way to parse, don't load rules and complain about
syntax errors or missing variables ?
Max Laier
max at love2party.net
Thu Mar 24 16:23:18 PST 2005
On Friday 25 March 2005 00:16, Jon Simola wrote:
> On Thu, 24 Mar 2005 16:48:48 -0600, BB <brent.bolin at gmail.com> wrote:
> > However when I looked at the configuration file again the scrub rule
> > had the explicate interface name fxp0
> >
> > This new box doesn't have fxp0
>
> It will probably make sense if you think that some interfaces like
> vlan and tun are created and destroyed. You probably don't want to
> reload your firewall config everytime you bring up a PPP link.
That's part of the reasoning. Also you usually want to have rules to block
PPP traffic *before* you bring up the link etc. ... in the end it's
hard^Wimpossible to satisfy everybody. As for "detecting" this kind of
foot-shooting, you can do a "$pfctl -vsI | grep placeholder" after you loaded
the ruleset. Something that should probably go to a TBD "Debugging PF - best
pratices" article in our doc tree. Any takers :-)
> ipfw has the same feature.
Not quite. IPFW just does pattern matching on the interface name, something
that is even more nasty and can be a lot of fun when you have vlan1 and
vlan11. But that just as a sidenote.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050325/ee020160/attachment.bin
More information about the freebsd-pf
mailing list