From owner-freebsd-pf@FreeBSD.ORG Tue Aug 14 22:14:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6542A16A417 for ; Tue, 14 Aug 2007 22:14:47 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (mail.neti.ee [194.126.101.114]) by mx1.freebsd.org (Postfix) with ESMTP id 179F113C494 for ; Tue, 14 Aug 2007 22:14:46 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (relay8.neti.ee [88.196.174.139]) by HOT-Bounce1.estpak.ee (Postfix) with ESMTP id 11E2962F2EA for ; Wed, 15 Aug 2007 00:46:53 +0300 (EEST) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (Debian) at neti.ee Received: from Relayhost2.neti.ee (Relayhost2 [88.196.174.142]) by MXR-8.estpak.ee (Postfix) with ESMTP id 33A281289F7 for ; Wed, 15 Aug 2007 00:46:48 +0300 (EEST) From: Toomas Pelberg To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Wed, 15 Aug 2007 00:46:48 +0300 Message-Id: <1187128008.64655.9.camel@detalem.kicks-ass.net> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 22:14:47 -0000 pfctl man page says: -i interface Restrict the operation to the given interface. ..what exactly is meant under the word "operation" ? My problem: I want to load a different ruleset for each interface ( jails ) and not care about what's in the ruleset as long as it doesn't affect anything outside the jail ( which is bound to a specific ip on a seperate interface ) I tried loading pfctl -i lo1 -f test.fire which contained "block quick all" ..which promptly killed everything :/ And no, it's not about using the loopback interface.. same goes for "real" interfaces like nve & fxp. Neither does it restrict you from loading "block quick on another_iterface all" and still killing everything.. OpenBSD seems to act the same, so it's probably not an porting bug.