PF in /etc/rc.d: some issues
Travis H.
solinym at gmail.com
Thu Sep 29 02:10:34 PDT 2005
I had a number of similar issues when dealing with DHCP interfaces
back in the day. The $variable substitution that pf currently does is
sufficient for many cases, and the (ifc0) lookup helps with DHCP, but
there are still corner cases. For example, what does antispoof do
regarding an interface with IP 0.0.0.0/32, as DHCP interfaces start
out? What happens to antispoof rules if your DHCP IP changes due to
lease expiration?
Writing a script which generates rules and feeds them to pfctl is
pretty straightforward and I recommend it over a static file.
--
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
More information about the freebsd-pf
mailing list