On Friday 25 March 2005 00:16, Jon Simola wrote: > On Thu, 24 Mar 2005 16:48:48 -0600, BB <[EMAIL PROTECTED]> wrote: > > However when I looked at the configuration file again the scrub rule > > had the explicate interface name fxp0 > > > > This new box doesn't have fxp0 > > It will probably make sense if you think that some interfaces like > vlan and tun are created and destroyed. You probably don't want to > reload your firewall config everytime you bring up a PPP link.
That's part of the reasoning. Also you usually want to have rules to block PPP traffic *before* you bring up the link etc. ... in the end it's hard^Wimpossible to satisfy everybody. As for "detecting" this kind of foot-shooting, you can do a "$pfctl -vsI | grep placeholder" after you loaded the ruleset. Something that should probably go to a TBD "Debugging PF - best pratices" article in our doc tree. Any takers :-) > ipfw has the same feature. Not quite. IPFW just does pattern matching on the interface name, something that is even more nasty and can be a lot of fun when you have vlan1 and vlan11. But that just as a sidenote. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpQIUyAUoiAC.pgp
Description: PGP signature
