On Fri, Aug 22, 2008 at 04:16:38PM +0200, Harald Dunkel wrote: > Hi folks, > > Question: How can I make sure that "em2" doesn't become "em0" > if my dual-port NIC dies? This would be fatal for my firewall > setup. At least the antispoof rules _must_ be bound to the > network devices.
first thing that comes to mind is to create unique interface groups for each iface and then write pf based on that. you'll still have to deal with the fallout after reboot after a failure, but at least if the hardware for whatever reason did happen to disappear during operation, you'd be insulated against the immediate change (tho maybe pf already handles that) other than that, assuming the PCI locations or whatever stay consistent through reboots (like, put 3 nics in, boot, see where they are, pull the middle one, see if 1 and 3 are still at the same points in dmesg even tho their ifnums will change), you could maybe break apart the 'em* at pci*' (or whatever it is) in config(8) and make individual ones based on where you want them. if that doesn't work in config(8) you probably have to make your own kernel. so you could do a little work and get a marginal benefit or spend a (potentially *LOT*) lot more time and force things specifically. barring any better suggestions, of course. -- jared
