On Thu, Sep 27, 2018, 3:59 AM Per-Olov Sjöholm, <[email protected]> wrote:
> On Thu, Sep 27, 2018, at 06:16, Theo de Raadt wrote: > > =?utf-8?Q?Per-Olov=20Sj=C3=B6holm?= <[email protected]> wrote: > > > > > I can in the man page fr PF see: > > > > > > --snip-- > > > Interface names, interface group names, and self can have > > > modifiers appended: > > > > > > :0 Do not include interface aliases. > > > :broadcast Translates to the interface's broadcast > address(es). > > > :network Translates to the network(s) attached to the > > > interface. > > > :peer Translates to the point-to-point interface's > peer > > > address(es). > > > --snip-- > > > > > > Is there a special reason syntax like INTERNET_INT:1 wont work if we > want to use the first alias address from the hostname interface file? > > > > > > As it is now I have to use the base adress by using ":0" or including > all aliases. For me this seems unusable. If I want to nat out on the alias > address from for example the DMZ I would like to use ":1". As this is not > possible I have to hard code the IP:s in pf.conf. > > > > Yes there is a very good reason. > > > > Interface aliases are not what you think they. A mistake was made > > more than two decades ago. If you reconfigure, they "roll". > > > > You should avoid use of :0, unless you need it. But definately you do > > not want :1 or :2 etc > > > Ahhh I see... Didn't know that. Many thanks for the answer > > I found it very convenient to not add the external IP into pf.conf, but > let the service itself harvest it from the interface. But it seems it is no > longer possible when you add more IPs to the external interface (unless you > want them all in the same rule of course). Not a biggie. Just interested to > see if it is possible to have more than one IP on the interface and don't > have them specified in pf.conf... > > How would you solve this example below Should I hard code the IPs and only > use these and skip usage of ":0" in this case? Is there maybe a way to > instead create a separate sub interface for the alias IP so the sub > interface could be used in PF, but the resulting PF behaviour remains? > > cat /etc/hostname.ix3 > inet 192.168.0.100 255.255.255.0 192.168.0.255 description "INTERNET > UPLINK TEST" > !ifconfig ix3 inet alias 192.168.0.101 netmask 255.255.255.255 broadcast > 192.168.0.255 > > > From pf.conf example > INTERNET_INT="ix3" > INTERNET_INT_IP1="192.168.0.100" <<< Can this be avoided? > INTERNET_INT_IP2="192.168.0.102" <<< Can this be avoided? > match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to > $INTERNET_INT_IP2 > match out on $INTERNET_INT from $LAN_INT:network to any nat-to > $INTERNET_INT:0 Instead of making alias interfaces, you could always make carp interfaces I guess. Then your pf.conf could be like: INTERNET_INT="ix3" INTERNET_INT_IF2="carp100" match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to $INTERNET_INT_IF2 match out on $INTERNET_INT from $LAN_INT:network to any nat-to $INTERNET_INT:0
