From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 07:06:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F32C416A403 for ; Fri, 30 Jun 2006 07:06:10 +0000 (UTC) (envelope-from lev-bazanov@mail.ru) Received: from mx5.mail.ru (mx5.mail.ru [194.67.23.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9139C43D62 for ; Fri, 30 Jun 2006 07:06:10 +0000 (GMT) (envelope-from lev-bazanov@mail.ru) Received: from [62.16.92.130] (port=42061 helo=localhost) by mx5.mail.ru with asmtp id 1FwD4r-000L8f-00 for freebsd-pf@freebsd.org; Fri, 30 Jun 2006 11:06:09 +0400 Date: Fri, 30 Jun 2006 11:06:02 +0400 From: lev-bazanov@mail.ru X-Mailer: The Bat! (v3.80.06) Professional X-Priority: 3 (Normal) Message-ID: <1664838932.20060630110602@mail.ru> To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev-bazanov@mail.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 07:06:11 -0000 Hello, All. There is a problem in pf, when I try to add rules with keyword "self". Example: My box have three physical and one loopback interfaces: fxp0 - 10.0.0.1 fxp1 - 20.0.0.1 fxp3 - 30.0.0.1 lo0 - 127.0.0.1 Add rules in pf: ---- pf.conf ---- block drop in quick from any to self pass in quick all ---- pf.conf ---- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick inet from any to 10.0.0.1 block drop in quick inet from any to 20.0.0.1 block drop in quick inet from any to 30.0.0.1 block drop in quick inet from any to 127.0.0.1 pass in quick all # # ifconfig fxp0 50.0.0.1 # pfctl -q -s rules block drop in quick inet from any to 10.0.0.1 block drop in quick inet from any to 20.0.0.1 block drop in quick inet from any to 30.0.0.1 block drop in quick inet from any to 127.0.0.1 pass in quick all Result of this command: all incoming traffic on interface fxp0 will be passed. This situation don't correct, because I want disable all traffic on fxp0, even after changing IP address on fxp0. Similar situation happens, when I try add rule in pf with table, which contains interface's name or keyword "self". For example: 1. Table contains name of interface ----- pf.conf ----- table { fxp0 } block drop in quick from any to ----- pf.conf ----- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick from any to # pfctl -q -t test -T show 10.0.0.1 # ifconfig fxp0 50.0.0.1 # pfctl -q -t test -T show 10.0.0.1 2. Table contains keyword "self" ----- pf.conf ---- table { self } block drop in quick from any to ----- pf.conf ---- # pfctl -f /etc/pf.conf # pfctl -q -s rules block drop in quick from any to # pfctl -q -t test -T show 10.0.0.1 20.0.0.1 30.0.0.1 127.0.0.1 # ifconfig fxp0 50.0.0.1 # pfctl -q -t test -T show 10.0.0.1 20.0.0.1 30.0.0.1 127.0.0.1 Is there some means in pf, which correctly resolve described situations? For example, like "me" keyword in ipfw. -- Best regards, Lev Bazanov mailto:lev-bazanov@mail.ru