Re: pf.conf for variable interfaces
On Sat, Feb 09, 2008 at 11:38:22AM +0100, Erik Norgaard wrote: > Chad Perrin wrote: > >>How about this: > >> > >>ext_ifs = "{" iwi0 bge0 "}" > >>block in quick on ext_ifs all > >>pass out quick on ext_ifs all keep state > >>... > >> > >> > >>As long as you don't need statements like iwi0:network which you > >>shouldn't on an endpoint, then I guess this will work. > > > >Thanks. That looks like the answer I wanted. I don't know why I can't > >find any documentation that offers an example of this. Maybe I'm losing > >my Google mojo. > > how about man pages? ;-) > > man pf.conf is a really good reference. Yeah, I looked through that one. I didn't read every single word, but I spent quite a bit of time on it without finding what I was looking for. The only thing I've found there (now that I know what the solution looks like in advance) that might have given me a clear hint is this line: all_ifs = "{" $ext_if lo0 "}" . . . so thanks for the not-much-help after the fact. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Baltasar Gracian: "A wise man gets more from his enemies than a fool from his friends." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
Chad Perrin wrote: How about this: ext_ifs = "{" iwi0 bge0 "}" block in quick on ext_ifs all pass out quick on ext_ifs all keep state ... As long as you don't need statements like iwi0:network which you shouldn't on an endpoint, then I guess this will work. Thanks. That looks like the answer I wanted. I don't know why I can't find any documentation that offers an example of this. Maybe I'm losing my Google mojo. how about man pages? ;-) man pf.conf is a really good reference. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
On Fri, Feb 08, 2008 at 02:53:39PM +0100, Erik Norgaard wrote: > Chad Perrin wrote: > >I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless > >device (iwi0) as its external interface, and sometimes uses the RJ-45 > >ethernet device (bge0) as its external interface. Unfortunately, I > >haven't figured out yet how to make that happen. > > How about this: > > ext_ifs = "{" iwi0 bge0 "}" > block in quick on ext_ifs all > pass out quick on ext_ifs all keep state > ... > > > As long as you don't need statements like iwi0:network which you > shouldn't on an endpoint, then I guess this will work. Thanks. That looks like the answer I wanted. I don't know why I can't find any documentation that offers an example of this. Maybe I'm losing my Google mojo. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Baltasar Gracian: "A wise man gets more from his enemies than a fool from his friends." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
Jim Bow wrote: Erik Norgaard wrote: How about this: ext_ifs = "{" iwi0 bge0 "}" block in quick on ext_ifs all pass out quick on ext_ifs all keep state ... This is nice, but any ideas how to do this if the wireless interface is only present some of the time, ie its a pcmcia card? If the above trick doesn't work, then I don't think there is an easy solution, pf fails loading rulesets when an error is encountered, which AFAIK would happen if an interface is not present. An option could be to load rule sets as part of the interface setup. That means messing with the scripts in /etc/rc.d. If you look in netif, then there is as part of the start() routine, a part that resyncs ipfilter. You can probably copy/paste this to do the same if pf is enabled and add a similar resync command to the pf script. Just some ideas. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
Erik Norgaard wrote: Chad Perrin wrote: I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless device (iwi0) as its external interface, and sometimes uses the RJ-45 ethernet device (bge0) as its external interface. Unfortunately, I haven't figured out yet how to make that happen. How about this: ext_ifs = "{" iwi0 bge0 "}" block in quick on ext_ifs all pass out quick on ext_ifs all keep state ... This is nice, but any ideas how to do this if the wireless interface is only present some of the time, ie its a pcmcia card? JimBow ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
On 2008-Feb-08, at 8:38 AM, Chad Perrin wrote: I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless device (iwi0) as its external interface, and sometimes uses the RJ-45 ethernet device (bge0) as its external interface. Unfortunately, I haven't figured out yet how to make that happen. I'd like to be able to have the $ext_if value change depending on which interface is active and being used to connect to the outside world. Do I just need to create two full sets of rules in my pf.conf (or use a script to rewrite that file from scratch each time), even though I'll be using exactly the same rules for PF regardless of which interface I'm using, or is there some simple way to avoid that sort of redundancy? What am I overlooking? You can add a macro that will apply rules to both interfaces simultaneously. i.e. lan_if = "bge0" wi_if = "iwi0" ext_if = "{" lan_if wi_if "}" block in on $ext_if all I know it's not dynamically updating but should suffice. -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Chad Perrin wrote: > I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless > device (iwi0) as its external interface, and sometimes uses the RJ-45 > ethernet device (bge0) as its external interface. Unfortunately, I > haven't figured out yet how to make that happen. > > I'd like to be able to have the $ext_if value change depending on which > interface is active and being used to connect to the outside world. Do I > just need to create two full sets of rules in my pf.conf (or use a script > to rewrite that file from scratch each time), even though I'll be using > exactly the same rules for PF regardless of which interface I'm using, or > is there some simple way to avoid that sort of redundancy? What am I > overlooking? > You might be able to use link aggregation to make this work. See lagg(4) - -- there's an example in there of automatic fail-over between a wireless and a wired interface. Assuming that your wireless and wired interfaces would all sit on the same network and you can move the IP from one to the other, it should work. In pf.conf you'ld need to set: ext_if="(lagg0)' (The brackets are important if the IP is dynamically assigned and could change) Completely untried, but I think this should work. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrGBn3jDkPpsZ+VYRA3UDAKCVRiDc08UWXwe10W0UYpg01hchgACfdFeh XyqzAidCAgAut5tOtgryUi8= =FDYK -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf.conf for variable interfaces
Chad Perrin wrote: I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless device (iwi0) as its external interface, and sometimes uses the RJ-45 ethernet device (bge0) as its external interface. Unfortunately, I haven't figured out yet how to make that happen. How about this: ext_ifs = "{" iwi0 bge0 "}" block in quick on ext_ifs all pass out quick on ext_ifs all keep state ... As long as you don't need statements like iwi0:network which you shouldn't on an endpoint, then I guess this will work. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf.conf for variable interfaces
I'm setting up PF on a FreeBSD laptop that sometimes uses the wireless device (iwi0) as its external interface, and sometimes uses the RJ-45 ethernet device (bge0) as its external interface. Unfortunately, I haven't figured out yet how to make that happen. I'd like to be able to have the $ext_if value change depending on which interface is active and being used to connect to the outside world. Do I just need to create two full sets of rules in my pf.conf (or use a script to rewrite that file from scratch each time), even though I'll be using exactly the same rules for PF regardless of which interface I'm using, or is there some simple way to avoid that sort of redundancy? What am I overlooking? -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Baltasar Gracian: "A wise man gets more from his enemies than a fool from his friends." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"