problem with keyword self

lev-bazanov at mail.ru lev-bazanov at mail.ru
Fri Jun 30 07:06:11 UTC 2006 

Hello, All.

There is a problem in pf, when I try to add rules with keyword
"self". Example:

My box have three physical and one loopback interfaces:

fxp0 - 10.0.0.1
fxp1 - 20.0.0.1
fxp3 - 30.0.0.1
lo0  - 127.0.0.1

Add rules in pf:
---- pf.conf ----
block drop in quick from any to self
pass in quick all
---- pf.conf ----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all
#
# ifconfig fxp0 50.0.0.1
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all

Result of this command: all incoming traffic on interface fxp0 will be passed.
This situation don't correct, because I want disable all traffic on
fxp0, even after changing IP address on fxp0.

Similar situation happens, when I try add rule in pf with table, which contains 
interface's name or keyword "self". For example:
1. Table contains name of interface 
----- pf.conf -----
table <test> { fxp0 } 
block drop in quick from any to <test>
----- pf.conf -----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules 
block drop in quick from any to <test>
# pfctl -q -t test -T show
  10.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
  10.0.0.1

2. Table contains keyword "self"
----- pf.conf ----
table <test> { self }
block drop in quick from any to <test>
----- pf.conf ----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick from any to <test>
# pfctl -q -t test -T show
  10.0.0.1
  20.0.0.1
  30.0.0.1
  127.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
  10.0.0.1
  20.0.0.1
  30.0.0.1
  127.0.0.1

Is there some means in pf, which correctly resolve described situations?
For example, like "me" keyword in ipfw. 

-- 
Best regards, Lev Bazanov                          mailto:lev-bazanov at mail.ru

More information about the freebsd-pf mailing list