Solved IPFW "me" analog in PF

[slavka]

Hi everyone! I have got a problem. My router have about 10 network interfaces (1 physical and 9 vlan-based), I use PF to restrict access to service devices (e.g. switches, phones). Now, I use a macro for definition of network interfaces, like:

int_list="{ em0.10, em0.11, em0.12, em0.14, em0.16, em0.18 }"

And this macro I use in my ruleset. I think, it's not good idea.

Does PF has something like "me" from IPFW?

 

[diizzy]

What do you want instead?
//Danne

 

[junovitch@]

self would be all addresses on the box. Example pf.conf:

pass in on $wan_ifs inet proto icmp to self icmp-type echoreq

When it comes to interfaces, what you are doing is perfectly valid. If you want to factor that in with IPs in a more fine grained manner, here's some modifiers you can use on interfaces names. The full details are in pf.conf(5).

Interface names and interface group names can have modifiers appended:

:network Translates to the network(s) attached to the interface.
:broadcast Translates to the interface's broadcast address(es).
:peer Translates to the point-to-point interface's peer address(es).
:0 Do not include interface aliases.

If that's not enough to get you on the right track, some more detail on what you are trying to do would be helpful.

 

[slavka]

self would be all addresses on the box.

Thanks! It's works for me!