Re: How do people use npf with dhcpcd?

["John D. Baker" <jdbaker%consolidated.net@localhost>]

On Mon, 29 Dec 2025, Sad Clouds wrote:

> On Sun, 28 Dec 2025 13:48:02 -0600 (CST)
> "John D. Baker" <jdbaker%consolidated.net@localhost> wrote:
> 
> > Good points raised and perhaps others can shed some light on how to deal
> > with a multi-homed interface where one address is statically assigned and
> > the other is dynamic via DHCP.
> 
> Strictly speaking "multihomed" refers to a machine with multiple
> network interfaces. If you assigned multiple IP addresses to the same
> interface this is called "IP aliasing".
> 
> There may be some security implications when creating such firewall
> designs with only a single interface. It is best to physically isolate
> external and internal subnets, I think.

So, yes, the router is "multihomed" in that it has multiple physical
interfaces.  I'm only concerned with the external interface which
participates in two disparate logical networks--one is an RFC1918 private
network to the ADSL modem's config/status interface and the other is
the public IP assigned via DHCP by my ISP.  There are only two devices
on this physical connection--the router and the ADSL modem.

I need to be able to track the public IP across changes which is what
the ifaddrs() operator in npf can do, but ifaddrs() returns a list of
all addresses with (currently) no mechanism to select/exclude members
of that list.  Rules for the public IP are not appropriate for the
private network and vice versa.

Perhaps always including the addr/mask of the private network or its
negation (and "family ipv4".) in every rule will let me do what I need.

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645