Re: Translate IPFW rules to PF rules

Ross,

Thanks for the warning, but I only have static interfaces, but I will take
it into account ... you'll never know what the future brings

Thx

Bert.

"Ross Alexander" <rwa@xxxxxxxxxxxxxx> wrote in message
news:86k60kq682.fsf@xxxxxxxxxxxxxxxxx
"Bert Moorthaemer" <nospam.bert.moorthaemer@xxxxxxxxxx> writes:

Hi Ross,

Thanks! I already saw some references to the "self" keyword, but I
couldn't
find anything about it in the documentation.

"Ross Alexander" <rwa@xxxxxxxxxxxxxx> wrote in message
first, get a table into scope and load it up with the necessary values:

table <SELF> persist { self }

then refer to <SELF> in the obvious way. [...]

Bert,

One caveat with this technique is that if you have interfaces that
come and go - ie, dynamically created GRE tunnel endpoints or that
sort of thing - the <SELF> table will need to be manually updated as
the new self-IP addrs appear and again as they disappear. It doesn't
happen automagically, which is Something to Know.

pfctl -t SELF -T add new.self.ip.addr
pfctl -t SELF -T delete old.self.ip.addr

However, if you load your pf rules after you've created and assigned
all your interfaces you needn't worry about this, because the "self"
reserved word DOES track the comings and goings of interfaces.

Another trick I often use is to add the broadcast addresses for my
various nets to <SELF> (and sometimes 255.255.255.255 as well), then
things like

anchor to_self inet from any to <SELF>

have a more intuitive meaning. So the table set up might become

table <SELF> persist { \
self, \
$Ext_If:broadcast, \
$Int_If:broadcast, \
$DMZ_If:broadcast, \
255.255.255.255 \
}

and so on.

regards,
Ross


.

Relevant Pages

  • pfctl on wireless interfaces
    ... I'm running tests on a few congestion control schemes which use pfctl to ... activate the respective queue controller. ... On wireless interfaces however this ... capacity varies over time. ...
    (freebsd-questions)
  • Re: Translate IPFW rules to PF rules
    ... I already saw some references to the "self" keyword, ... find anything about it in the documentation. ... pfctl -t SELF -T delete old.self.ip.addr ... all your interfaces you needn't worry about this, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Word Perfect - TM
    ... I'm working, I want to produce, I could give a rat's butt about pretty interfaces. ... Anne Carle wrote: ... account where it enabled me to do 600+ lph. ... But I'll say that it was a grueling ordeal, learning it. ...
    (sci.med.transcription)
  • Re: No standard user group and account now missing
    ... Her account is not showing because that User Accounts ... evidently been removed from the Users group. ... MS goofed up in versioning some of the interfaces for the ... needed differences between Pro and Home. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Q about "control userpasswords2" in XP home
    ... decides to show the account in the user interfaces. ... As an Administrators group member the account has access ... > had only the "Administrators" membership. ...
    (microsoft.public.windowsxp.security_admin)