From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 22:16:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E72316A419 for ; Thu, 6 Sep 2007 22:16:42 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.238]) by mx1.freebsd.org (Postfix) with ESMTP id 4034E13C48D for ; Thu, 6 Sep 2007 22:16:42 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so213357nzf for ; Thu, 06 Sep 2007 15:16:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=MIr/1k1yK8AslIqWMunxYZhOdJp11oPZN2q/nv4H5Pg=; b=bEFFRi4qjs0QckIChG/TpHsBq/A7X0drV877CF68Y6QMdIEpY6wgZ+bw6KSzU0F9nSZgmBQlAr5sAEdTJryNf/6+s6CKDiow1I6yfRjAgtF11e9yoXbN4BOePZKm+qWNkymp+F/HW8v2CJ7KVwREfmNMOZx+GEFk/Jl8GVU0HuY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lXonhts/jnGs+5sGnljH/qzchH9badtdzNsbOteu2ctagVwICdGWb3fYv71g4BdznRv2VwJEOjHDQwGifADXT+ufSzIJCoklq/Er/gtsM6nkdB0sNxgvihjrTmh90U/+18FqIA/W0Kbq5/d+jDqPS+U1p8/K5SR/YNyLSVl4D4k= Received: by 10.142.156.13 with SMTP id d13mr57090wfe.1189117001142; Thu, 06 Sep 2007 15:16:41 -0700 (PDT) Received: by 10.142.147.5 with HTTP; Thu, 6 Sep 2007 15:16:41 -0700 (PDT) Message-ID: <8eea04080709061516k5a35e15qdf85a5f3be34af7b@mail.gmail.com> Date: Thu, 6 Sep 2007 15:16:41 -0700 From: "Jon Simola" To: "Gergely CZUCZY" In-Reply-To: <20070906203936.GA7448@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070906203936.GA7448@harmless.hu> Cc: freebsd-pf@freebsd.org Subject: Re: duplicate rule on :broadcast X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 22:16:42 -0000 On 9/6/07, Gergely CZUCZY wrote: > Hello > > I've got a configuration when i've got 2 IPs on em0 > from the very same subnet. This means, they have the > same broadcast address. ifconfig(8) suggests: alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate. > Is it really neccessery to have duplicates when the > boradcast addresses of the assigned addresses are the > very same? pfctl doesn't check to see if rules created by expansion make sense or duplicate other rules. Doing so would increase the complexity, and duplicate rules end up getting skipped anyways. You may want to check out the -o option for optimizing the running ruleset, or you can rewrite your rule to avoid using :broadcast if_inet = "int0" table persist {$if_inet} block in quick on $if_inet from any to ! port 137 label "broadcast deny" That has the same effect (block stuff that isn't explicitly addressed to me), and doesn't expand to more than a single rule. -- Jon