Openbsd: ‘interface groups and pf’

PF and Openbsd keep getting better: MARC: msg ‘interface groups and pf’.


block in on egress from (customer:network)…

….
there is an “egress” interface group now which follows the default routes. This interface group contains all interfaces which IPv4 and IPv6 default routes point to … So, imagine that on your notebook, where you are sometimes on wireless and sometimes on wired network connections – just write your pf.conf so that it refers to the egress group instead of wi0 and em0, and it will Just Work 🙂

2 Comments

  1. Richard Parry Said,

    June 18, 2005 @ 5:45 pm

    That’s pretty cool.

    I think you can do something similar with Tables, but you need to chain a rule to an interface and point it to another, and that shit will send you blind just trying to work it out.

    pf is much easier to configure, and with this function it should be cool. Does it also support ingress? That way you could have default lists for any sort of interface, both inbound and outbound traffic.

  2. Nicholas Lee Said,

    June 18, 2005 @ 6:11 pm

    I think “pf is much easier to configure”, is the important point. Configuration of iptables is like trying to be your own mo-DEM. Ingress and egress in this situation I think is different slightly from the normal use. Egress above is basic the interfaces associated with the default route.

    So you can traffic filter and manage (using ALTQ no doubt) traffic on the default route both inwards/ingress (block in on egress …) and outwards.egess (block out on egress …). Everything else is a matter of local policy.

    Obviously this is very useful for a laptop changing between wired and wireless, but maybe not so useful for a fixed server.

RSS feed for comments on this post