From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 29 09:10:34 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B817216A41F
	for <freebsd-pf@freebsd.org>; Thu, 29 Sep 2005 09:10:34 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 47F4143D48
	for <freebsd-pf@freebsd.org>; Thu, 29 Sep 2005 09:10:34 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by wproxy.gmail.com with SMTP id 58so26309wri
	for <freebsd-pf@freebsd.org>; Thu, 29 Sep 2005 02:10:33 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=M+Er8rFc3ZIuSmgeT6VT25ZSQSspUfqNOcv8maLthP7gpOw1DOR6H2h8oNboMrnA9MOS+7W1C6kqMLeJgVDYb5d1wCzT0FkHqq/vbyy4GBu4zQE57rxQe1ulDgAfoHCyF2bpgRedG7ZdL2mzF5r8rJaSTuyRIoRk0g1sBm1Y9Qc=
Received: by 10.54.34.54 with SMTP id h54mr403321wrh;
	Thu, 29 Sep 2005 02:10:33 -0700 (PDT)
Received: by 10.54.81.7 with HTTP; Thu, 29 Sep 2005 02:10:33 -0700 (PDT)
Message-ID: <d4f1333a05092902104a37758@mail.gmail.com>
Date: Thu, 29 Sep 2005 04:10:33 -0500
From: "Travis H." <solinym@gmail.com>
To: Max Laier <max@love2party.net>
In-Reply-To: <200509221413.03576.max@love2party.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <20050922112017.GB16325@comp.chem.msu.su>
	<200509221413.03576.max@love2party.net>
Cc: freebsd-pf@freebsd.org
Subject: Re: PF in /etc/rc.d: some issues
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Travis H." <solinym@gmail.com>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2005 09:10:34 -0000

I had a number of similar issues when dealing with DHCP interfaces
back in the day.  The $variable substitution that pf currently does is
sufficient for many cases, and the (ifc0) lookup helps with DHCP, but
there are still corner cases.  For example, what does antispoof do
regarding an interface with IP 0.0.0.0/32, as DHCP interfaces start
out?  What happens to antispoof rules if your DHCP IP changes due to
lease expiration?

Writing a script which generates rules and feeds them to pfctl is
pretty straightforward and I recommend it over a static file.
--
http://www.lightconsulting.com/~travis/  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B