On Tue, Apr 05, 2005 at 12:50:53 -0400, Steven M. Bellovin wrote:

> The proper way to do it, in my opinion, is to separate topology from 
> policy.  For example -- and this is *not* a suggestion about proper 
> syntax, though I think it's close -- you might want to say something like:
> 
> 
> allow service any from localhost;
> allow service smtp from any to mailhost;
> allow service netbios from roadwarriors to fileserver;
> 
> localhost = {if:lo0};
> mailhost = {smtp.example.com, ipv4:192.168.0.0/24, ipv6:2004::0102:0304:0506};
> fileserver = { ipv4:10.1.1.1};
> 
> netbios = {udp:135-139};

That would be nice. The macros and lists of pf(4) can do some of these things.

	rvdp