Hi,

in the ongoing quest to build me a small secure router, I went on to
look into running the box (3.0_BETA) with securelevel 2. As expected,
pf rules become unchangable, as do the state stables. The latter is
actually troublesome for me as follows. I just want to present the
situation as it is.

I run ifwatchd(8) on a pppoe(4) interface. The pf ruleset is designed
to be independent from address changes by using ($interface) and
($interface:network) syntax. In my if-up.sh script I used to flush the
state table with pf -F state so that established ssh sessions for
example would get reset immediately. I find that this is not possible
with securelevel 2. I need to wait for the ssh client to time out its
connection, after which the connection is _still_ present in the state
table with the old address and as ESTABLISHED:ESTABLISHED, probably
lingering for tcp.established =3D 86400s.

My questions are now:

1) Should pf update state entries which are the result of a rule with
"dynamic" address syntax?
2) Should state entries remain flushable even with securelevel 2?
3) Something else?

Based on my expectations on how things are supposed to work, I would
actually prefer option 1.

Has this bothered anyone else or am I the only one (again)? :)

Thanks

ND