duplicate rule on :broadcast
Jon Simola
jsimola at gmail.com
Thu Sep 6 15:16:42 PDT 2007
On 9/6/07, Gergely CZUCZY <phoemix at harmless.hu> wrote:
> Hello
>
> I've got a configuration when i've got 2 IPs on em0
> from the very same subnet. This means, they have the
> same broadcast address.
ifconfig(8) suggests:
alias Establish an additional network address for this interface. This
is sometimes useful when changing network numbers, and one wishes
to accept packets addressed to the old interface. If the address
is on the same subnet as the first network address for this
interface, a non-conflicting netmask must be given. Usually
0xffffffff is most appropriate.
> Is it really neccessery to have duplicates when the
> boradcast addresses of the assigned addresses are the
> very same?
pfctl doesn't check to see if rules created by expansion make sense or duplicate
other rules. Doing so would increase the complexity, and duplicate rules end up
getting skipped anyways. You may want to check out the -o option for optimizing
the running ruleset, or you can rewrite your rule to avoid using :broadcast
if_inet = "int0"
table <if_inet> persist {$if_inet}
block in quick on $if_inet from any to !<if_inet> port 137 label
"broadcast deny"
That has the same effect (block stuff that isn't explicitly addressed
to me), and
doesn't expand to more than a single rule.
--
Jon
More information about the freebsd-pf
mailing list