* Tobias Ulmer <[EMAIL PROTECTED]> [2006-02-14 04:37]:
> I don't know if this works with regular rules, but there is a recent
> post from Ray Lai where he points out that it's possible to use just
> interface instead of interface[0-n] [1].
> I didn't find this documented in pf.conf(5), but maybe I just should get
> some sleep...
it is not documented there because it is not true.
pf.conf(5) says:
on <interface>
This rule applies only to packets coming in on, or going out
through, this particular interface or interface group.
(and similar for other places where you can use interface names)
so, look at your interfaces to see which groups they are in.
it happens to be that dynamically created interfaces - like tun -
automagically join a group we call " 'interface class group'.
<[EMAIL PROTECTED]> $ sudo ifconfig tun342 create
<[EMAIL PROTECTED]> $ ifconfig tun342
tun342: flags=10<POINTOPOINT> mtu 3000
groups: tun
so you can use 'tun' when you mean "any tunnel interface".
you cannot use 'em' when you mean "all em interfaces", because that
doesn't make sense anyway.
or you can put your interfaces in groups you set so that you can filter
easier
<[EMAIL PROTECTED]> $ sudo ifconfig tun342 group loonies
<[EMAIL PROTECTED]> $ ifconfig tun342
tun342: flags=10<POINTOPOINT> mtu 3000
groups: tun loonies
etc yadda yadda yadda.
--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
