From owner-freebsd-questions@FreeBSD.ORG Tue Mar 8 13:04:17 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41B0916A4CE for ; Tue, 8 Mar 2005 13:04:17 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DBDD43D3F for ; Tue, 8 Mar 2005 13:04:15 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])j28D3wdn031468; Tue, 8 Mar 2005 15:03:58 +0200 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) j28D4Dw4080748; Tue, 8 Mar 2005 15:04:13 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost)j28D4DkP080743; Tue, 8 Mar 2005 15:04:13 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 8 Mar 2005 15:04:12 +0200 From: Giorgos Keramidas To: "J.D. Bronson" Message-ID: <20050308130412.GA77181@orion.daedalusnetworks.priv> References: <6.2.0.14.2.20050308064913.00b190b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20050308064913.00b190b0@localhost> cc: freebsd-questions@freebsd.org Subject: Re: pf question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 13:04:17 -0000 On 2005-03-08 06:49, "J.D. Bronson" wrote: > First my ifconfig -A: > > # ifconfig -A > bge0: flags=8843 mtu 1500 > address: xxxxxxxxxxxx > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.82.1 netmask 0xffffff00 broadcast 192.168.82.255 > inet 192.168.82.2 netmask 0xffffffff broadcast 192.168.82.2 > > > I use a rule in the firewall such as this: > # macros > int_if = "bge0" > > pass in on $int_if from $int_if:network to any modulate state > pass out on $int_if from any to $int_if:network modulate state > > This expands to: > pass in on bge0 inet from 192.168.82.0/24 to any modulate state > pass in on bge0 inet from 192.168.82.2 to any modulate state > pass out on bge0 inet from any to 192.168.82.0/24 modulate state > pass out on bge0 inet from any to 192.168.82.2 modulate state > > Why does it pick the alias IP on the nic and not the actual IP? > Is this intended by design? Because the first IP address has a netmask with zero bits, and pf is smart enough to recognize this as part of a subnet/network (this is, after all the meaning of the :network modifier). The alias IP has a netmask of 0xffffffff, which may match only that alias address.