Hi folks, Harald Dunkel wrote: > > Question: How can I make sure that "em2" doesn't become "em0" > if my dual-port NIC dies? This would be fatal for my firewall > setup. At least the antispoof rules _must_ be bound to the > network devices. >
Sorry to wake this thread up again, but this problem is a severe security risk. IMHO it is unacceptable that a hardware failure on one NIC of a firewall can put the whole network at risk, just because the mapping between NICs and interface names gets mixed up, and PF suddenly treats the Internet as a subnet of the company LAN. The workarounds posted here just show that OpenBSD's native functionality is insufficient. If you are planning a version 5.0, then it would be very nice if you could address this problem. Many thanx Harri