Interface modifiers in pf.conf

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Interface modifiers in pf.conf

Sjöholm Per-Olov
Hi

I can in the man page för PF see:

--snip--
Interface names, interface group names, and self can have
             modifiers appended:

             :0                   Do not include interface aliases.
             :broadcast  Translates to the interface's broadcast address(es).
             :network    Translates to the network(s) attached to the
                         interface.
             :peer       Translates to the point-to-point interface's peer
                         address(es).
--snip--

Is there a special reason syntax like INTERNET_INT:1 wont work if we want to use the first alias address from the hostname interface file?

As it is now I have to use the base adress by using ":0" or including all aliases. For me this seems unusable. If I want to nat out on the alias address from for example the DMZ I would like to use ":1". As this is not possible I have to hard code the IP:s in pf.conf.


Have I misunderstood something? Please enlighten me.


Tnx
Peo

Reply | Threaded
Open this post in threaded view
|

Re: Interface modifiers in pf.conf

Theo de Raadt-2
=?utf-8?Q?Per-Olov=20Sj=C3=B6holm?= <[hidden email]> wrote:

> I can in the man page f??r PF see:
>
> --snip--
> Interface names, interface group names, and self can have
>              modifiers appended:
>
>              :0                   Do not include interface aliases.
>              :broadcast  Translates to the interface's broadcast address(es).
>              :network    Translates to the network(s) attached to the
>                          interface.
>              :peer       Translates to the point-to-point interface's peer
>                          address(es).
> --snip--
>
> Is there a special reason syntax like INTERNET_INT:1 wont work if we want to use the first alias address from the hostname interface file?
>
> As it is now I have to use the base adress by using ":0" or including all aliases. For me this seems unusable. If I want to nat out on the alias address from for example the DMZ I would like to use ":1". As this is not possible I have to hard code the IP:s in pf.conf.

Yes there is a very good reason.

Interface aliases are not what you think they.  A mistake was made
more than two decades ago.  If you reconfigure, they "roll".

You should avoid use of :0, unless you need it.  But definately you do
not want :1 or :2 etc

Reply | Threaded
Open this post in threaded view
|

Re: Interface modifiers in pf.conf

Sjöholm Per-Olov
On Thu, Sep 27, 2018, at 06:16, Theo de Raadt wrote:

> =?utf-8?Q?Per-Olov=20Sj=C3=B6holm?= <[hidden email]> wrote:
>
> > I can in the man page fr PF see:
> >
> > --snip--
> > Interface names, interface group names, and self can have
> >              modifiers appended:
> >
> >              :0                   Do not include interface aliases.
> >              :broadcast  Translates to the interface's broadcast address(es).
> >              :network    Translates to the network(s) attached to the
> >                          interface.
> >              :peer       Translates to the point-to-point interface's peer
> >                          address(es).
> > --snip--
> >
> > Is there a special reason syntax like INTERNET_INT:1 wont work if we want to use the first alias address from the hostname interface file?
> >
> > As it is now I have to use the base adress by using ":0" or including all aliases. For me this seems unusable. If I want to nat out on the alias address from for example the DMZ I would like to use ":1". As this is not possible I have to hard code the IP:s in pf.conf.
>
> Yes there is a very good reason.
>
> Interface aliases are not what you think they.  A mistake was made
> more than two decades ago.  If you reconfigure, they "roll".
>
> You should avoid use of :0, unless you need it.  But definately you do
> not want :1 or :2 etc


Ahhh I see... Didn't know that. Many thanks for the answer

 I found it very convenient to not add the external IP into pf.conf, but let the service itself harvest it from the interface. But it seems it is no longer possible when you add more IPs to the external interface (unless you want them all in the same rule of course). Not a biggie. Just interested to see if it is possible to have more than one IP on the interface and don't have them specified in pf.conf...

How would you solve this example below Should I hard code the IPs and only use these and skip usage of ":0" in this case?  Is there maybe a way to instead create a separate sub interface for the alias IP so the sub interface could be used in PF, but the resulting PF behaviour remains?

cat /etc/hostname.ix3
inet 192.168.0.100 255.255.255.0 192.168.0.255  description "INTERNET UPLINK TEST"
!ifconfig ix3 inet alias 192.168.0.101 netmask 255.255.255.255 broadcast 192.168.0.255


From pf.conf example
INTERNET_INT="ix3"
INTERNET_INT_IP1="192.168.0.100" <<< Can this be avoided?
INTERNET_INT_IP2="192.168.0.102"  <<< Can this be avoided?
match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to $INTERNET_INT:0


Tnx
Peo

Reply | Threaded
Open this post in threaded view
|

Re: Interface modifiers in pf.conf

Rudy Baker
On Thu, Sep 27, 2018, 3:59 AM Per-Olov Sjöholm, <[hidden email]> wrote:

> On Thu, Sep 27, 2018, at 06:16, Theo de Raadt wrote:
> > =?utf-8?Q?Per-Olov=20Sj=C3=B6holm?= <[hidden email]> wrote:
> >
> > > I can in the man page fr PF see:
> > >
> > > --snip--
> > > Interface names, interface group names, and self can have
> > >              modifiers appended:
> > >
> > >              :0                   Do not include interface aliases.
> > >              :broadcast  Translates to the interface's broadcast
> address(es).
> > >              :network    Translates to the network(s) attached to the
> > >                          interface.
> > >              :peer       Translates to the point-to-point interface's
> peer
> > >                          address(es).
> > > --snip--
> > >
> > > Is there a special reason syntax like INTERNET_INT:1 wont work if we
> want to use the first alias address from the hostname interface file?
> > >
> > > As it is now I have to use the base adress by using ":0" or including
> all aliases. For me this seems unusable. If I want to nat out on the alias
> address from for example the DMZ I would like to use ":1". As this is not
> possible I have to hard code the IP:s in pf.conf.
> >
> > Yes there is a very good reason.
> >
> > Interface aliases are not what you think they.  A mistake was made
> > more than two decades ago.  If you reconfigure, they "roll".
> >
> > You should avoid use of :0, unless you need it.  But definately you do
> > not want :1 or :2 etc
>
>
> Ahhh I see... Didn't know that. Many thanks for the answer
>
>  I found it very convenient to not add the external IP into pf.conf, but
> let the service itself harvest it from the interface. But it seems it is no
> longer possible when you add more IPs to the external interface (unless you
> want them all in the same rule of course). Not a biggie. Just interested to
> see if it is possible to have more than one IP on the interface and don't
> have them specified in pf.conf...
>
> How would you solve this example below Should I hard code the IPs and only
> use these and skip usage of ":0" in this case?  Is there maybe a way to
> instead create a separate sub interface for the alias IP so the sub
> interface could be used in PF, but the resulting PF behaviour remains?
>
> cat /etc/hostname.ix3
> inet 192.168.0.100 255.255.255.0 192.168.0.255  description "INTERNET
> UPLINK TEST"
> !ifconfig ix3 inet alias 192.168.0.101 netmask 255.255.255.255 broadcast
> 192.168.0.255
>
>
> From pf.conf example
> INTERNET_INT="ix3"
> INTERNET_INT_IP1="192.168.0.100" <<< Can this be avoided?
> INTERNET_INT_IP2="192.168.0.102"  <<< Can this be avoided?
> match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to
> $INTERNET_INT_IP2
> match out on $INTERNET_INT from $LAN_INT:network to any nat-to
> $INTERNET_INT:0



Instead of making alias interfaces, you could always make carp interfaces I
guess.

Then your pf.conf could be like:

INTERNET_INT="ix3"
INTERNET_INT_IF2="carp100"


match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to
$INTERNET_INT_IF2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT:0