On Wed, Jun 15, 2005 at 10:05:53AM +0200, Martin Husemann wrote:
> > 1) Should pf update state entries which are the result of a rule with
> > "dynamic" address syntax?
> 
> You mean automagically? I don't think it can easily done that - for example
> I have a fixed IP on my pppoe0 interface, but the stupid DSL provider 
> disconnects the link after 24h - it gets back up imediately, with the same
> IP and I'm glad nothing killed any state in between.

Right, because pppoe(4) is usually configured with placeholder addresses. So
even a down-up event with the same resulting public address would trigger a
change twice. Didn't think of that.

> This, of course, could be configurable.
> 
> > 2) Should state entries remain flushable even with securelevel 2?
> 
> Maybe we could allow this (via a sysctl setting unchangeable at 
> securelevel > 1) optionally.

Hmm, yet another knob. :/

I'm curious, how do people handle the situation of a changing public address
in combination with pf? Do you just let the states timeout or do you do a flush
in your if-up.sh script?

In another mail I expressed the concern that existing states with a now invalid
source address could lead to "spoofed" packets being sent to the outside. Is
this actually true?

ND