> The problem at hand is how to define the macros ext_if and int_if for a
> system with multiple interfaces.
> Neither pf.conf(5) nor "the book of PF" give a working example where the
> macro holds more than one name.
>
> This is the only existing example of relevant syntax in pf.conf(5):
>
> > ext_if = "kue0"
> > all_ifs = "{" $ext_if lo0 "}"
> > pass out on $ext_if from any to any
> > pass in on $ext_if proto tcp from any to any port 25
>
> Note that all_ifs is not used, so we do not know whether $all_ifs, <all_ifs>
> or plain all_ifs is correct.
$all_ifs
Do note that it will expand to two separate pf lines if you have two
entries in it, so make sure to think through which kind of rules you
do apply to that macro. Making a rule that says something along the
lines of "block in quick on ! $all_ifs from any to any" is going to
make two rules, and basically any packet coming in will hit either of
those two rules, so this would block more or less all packets.
> I also need to know whether the following two options are equivalent from the
> standpoint of pf:
Don't really know how to answer that, since all you do is define
macros, and they are obviously differently defined, so if they are
going to act "the same" depends on the rules you then apply the macros
to.
> # option 1
>
> /etc/pf.conf
> int_if = "{" ix0 ix1 "}"
> ext_if = "em0"
> # option 2
>
> /etc/pf.conf
> int_if = "vether0"
> ext_if = "em0"
--
May the most significant bit of your life be positive.
