[EMAIL PROTECTED] wrote: > On Mon, 5 Dec 2005 10:40:31 -0500 (EST), Brian A. Seklecki wrote: > >> All: >> ... >> Even if other hosts receive a packet and reply to it, they won't be >> able to ARP for it, and if they could, the original OpenBSD box will >> drop the reply with destination host/network unreachable (obviously). >> >> Wouldn't a better behavior to prevent the transmission of the packet >> in the same way the a socket cannot bind to a source port/ip if it >> is not assigned to an interface? >> >> Thoughts? > > Yes! > I'd rather have no change. If somebody uses the capability incorrectly > it would be just another case of shooting-self-in-foot allowed by > having powerful tools. > > My guess is that very few users <ever> NAT using an address other > than that of the $ext_if. ...
I do, but only because I can;-) I also have a /29 but I do not pay any extra for it. One address is assigned to an interface and I use another addresses for an e-mail server. In my case I use the in-kernel PPPOE and configure a static route to the loopback from the desired address: /etc/rc.local: echo ' Routes'; route add 222.222.222.222 localhost /etc/pf.conf: rdr pass on $ppp_if proto tcp from <spamd> to $email_addr port smtp \ -> 127.0.0.1 port spamd rdr pass on $ppp_if proto tcp from !<spamd-white> to $email_addr port smtp \ -> 127.0.0.1 port spamd rdr pass on $ppp_if proto tcp from any to $email_addr port smtp \ -> 127.0.0.1 port smtp If I needed the interface to answer an ARP query, I'd simply use a static arp entry. -Steve S.