Yes.  Since most of the traffic on le0 is PPPoE encalsulated, ipfilter
won't even consider it to be IP packets and so won't touch it.  So you
should make all your normal rules on ppp0.

Having said that, I also have some filters setup on my lan interface just
to control TCP/IP access to my ADSL modem.  Most ADSL modems can be
managed over TCP/IP, and have very weak access controls (or big back-doors
in the case of the SpeedTouch modems).  By creating some filters on the
lan interface, I can control who can manage my ADSL modem (and prevent
some types of attacks on the modem).

But for every day filtering from the internet, you want to use ppp0.

Rick

On Thu, 6 Dec 2001, Johnny Lam wrote:

> Date: Thu, 6 Dec 2001 21:03:44 -0800
> From: Johnny Lam <jlam@jgrind.org>
> To: netbsd-users@netbsd.org
> Subject: IPFilter'ing a PPPeE connection?
>
> I have a newbie-ish question.  I was wondering which interface I should be
> naming in my ipfilter rules if I wished to firewall a DSL connection that
> uses PPPoE.  I'm using rp-pppoe with the DSL modem connected via an Ethernet
> cable to le0.  When the DSL connection is established, ppp0 is configured.
> So the question is: should I be filtering on the ppp0 interface?
>
> 	Thanks,
>
> 	-- Johnny Lam <jlam@jgrind.org>
>