On Wed, Jun 15, 2005 at 11:31:08AM +0200, Nino Dehne wrote:
> > > 2) Should state entries remain flushable even with securelevel 2?
> > 
> > No, any action from pfctl that changes things like rules, states, etc.
> > is not possible at securelevel 2. So in your case it would probably be
> > better to run at securelevel 1.
> 
> Yes, it's probably best to enforce a strict policy that disallows any
> modifications - even of dynamically created structures - at securelevel 2.
> 
> However, I still believe that for rules - and only rules - like
> 
>    nat on pppoe0 inet from (vlan1:network) to any -> (pppoe0)
> 
> the resulting states should somehow inherit the dynamic nature of the peer
> addresses. Just a gut feeling though.
> 

With this rule, new states will get the right address if it changes on
pppoe0, but AFAIK, the old states should not change (and will disappear
eventually).

-- 
Peter Postma