[EMAIL PROTECTED] wrote:
> On Mon, 5 Dec 2005 10:40:31 -0500 (EST), Brian A. Seklecki wrote:
>
>> All:
>>
...
>> Even if other hosts receive a packet and reply to it, they won't be
>> able to ARP for it, and if they could, the original OpenBSD box will
>> drop the reply with destination host/network unreachable (obviously).
>>
>> Wouldn't a better behavior to prevent the transmission of the packet
>> in the same way the a socket cannot bind to a source port/ip if it
>> is not assigned to an interface?
>>
>> Thoughts?
>
> Yes!
> I'd rather have no change. If somebody uses the capability incorrectly
> it would be just another case of shooting-self-in-foot allowed by
> having powerful tools.
>
> My guess is that very few users <ever> NAT using an address other
> than that of the $ext_if.
...
I do, but only because I can;-) I also have a /29 but I do not pay any
extra for it. One address is assigned to an interface and I use another
addresses for an e-mail server. In my case I use the in-kernel PPPOE and
configure a static route to the loopback from the desired address:
/etc/rc.local:
echo ' Routes'; route add 222.222.222.222 localhost
/etc/pf.conf:
rdr pass on $ppp_if proto tcp from <spamd> to $email_addr port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ppp_if proto tcp from !<spamd-white> to $email_addr port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ppp_if proto tcp from any to $email_addr port smtp \
-> 127.0.0.1 port smtp
If I needed the interface to answer an ARP query, I'd simply use a static
arp entry.
-Steve S.
