On Thu, Sep 27, 2018, at 06:16, Theo de Raadt wrote: > =?utf-8?Q?Per-Olov=20Sj=C3=B6holm?= <p...@incedo.org> wrote: > > > I can in the man page fr PF see: > > > > --snip-- > > Interface names, interface group names, and self can have > > modifiers appended: > > > > :0 Do not include interface aliases. > > :broadcast Translates to the interface's broadcast > > address(es). > > :network Translates to the network(s) attached to the > > interface. > > :peer Translates to the point-to-point interface's peer > > address(es). > > --snip-- > > > > Is there a special reason syntax like INTERNET_INT:1 wont work if we want > > to use the first alias address from the hostname interface file? > > > > As it is now I have to use the base adress by using ":0" or including all > > aliases. For me this seems unusable. If I want to nat out on the alias > > address from for example the DMZ I would like to use ":1". As this is not > > possible I have to hard code the IP:s in pf.conf. > > Yes there is a very good reason. > > Interface aliases are not what you think they. A mistake was made > more than two decades ago. If you reconfigure, they "roll". > > You should avoid use of :0, unless you need it. But definately you do > not want :1 or :2 etc
Ahhh I see... Didn't know that. Many thanks for the answer I found it very convenient to not add the external IP into pf.conf, but let the service itself harvest it from the interface. But it seems it is no longer possible when you add more IPs to the external interface (unless you want them all in the same rule of course). Not a biggie. Just interested to see if it is possible to have more than one IP on the interface and don't have them specified in pf.conf... How would you solve this example below Should I hard code the IPs and only use these and skip usage of ":0" in this case? Is there maybe a way to instead create a separate sub interface for the alias IP so the sub interface could be used in PF, but the resulting PF behaviour remains? cat /etc/hostname.ix3 inet 192.168.0.100 255.255.255.0 192.168.0.255 description "INTERNET UPLINK TEST" !ifconfig ix3 inet alias 192.168.0.101 netmask 255.255.255.255 broadcast 192.168.0.255 >From pf.conf example INTERNET_INT="ix3" INTERNET_INT_IP1="192.168.0.100" <<< Can this be avoided? INTERNET_INT_IP2="192.168.0.102" <<< Can this be avoided? match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to $INTERNET_INT_IP2 match out on $INTERNET_INT from $LAN_INT:network to any nat-to $INTERNET_INT:0 Tnx Peo
