PF Question: Multiple IP addresses on a single interface

F

freebsd number 1

Hello, i've got a question about configuring PF. I have an interface (vtnet0) that has 2 ip addresses assigned to it. I want to block incoming ICMP traffic to the second ip address (while permitting it to the first one). How can i do that?

I currently have the following rule in pf.conf which works fine for allowing icmp traffic on the second ip address while blocking it on the first one:

Code: 
block on vtnet0 proto icmp from any to (vtnet0:0)

But how to do it the other way round? I've tried to put in "(vtnet0:1)" , but that results in an error about the syntax being incorrect.
 
freebsd number 1 said:
Code: 
block on vtnet0 proto icmp from any to (vtnet0:0)
But how to do it the other way round? I've tried to put in "(vtnet0:1)" , but that results in an error about the syntax being incorrect.
Click to expand...
Unfortunately :0 is not an index into interface addresses but merely the name of the option to not include aliases, so there is no :1 - :n
Code: 
           :0            Do not include interface aliases.

           Host names may also have the :0 option appended to restrict the
           name resolution to the first of each v4 and v6 address found.
You'd have to specify the exact address instead, which could prove problematic if it is somehow dynamic.

Using the quick option, you could use two rules. First one permits ICMP to the first address only, second rule blocks ICMP to any remaining addresses:
Code: 
pass in quick on vtnet0 proto icmp to (vtnet0:0)
block in quick on vtnet0 proto icmp to (vtnet0)
 
You must log in or register to reply here.
Back
Top