Peter Postma <peter@pointless.nl> writes:

> I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> doesn't have an IP address yet. So the rule parsing fails here:
> "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> doesn't have an address so this fails. You'll probably see the message:
> "no IP address found for wm0".

I have found (with ipfilter) that I wished I could write rules that
talk about not only in and out, but 'up' and 'down', so that I could
separate protecting the host from the router portion of the firewall.
The lack of this has led me to write rules that block packets to 'my'
addresses, which require addresses to be present.

There is also compiling default block into the kernel.  I suppose
startup scripts could install a block all, bring up networks, and then
install the real ruleset.


-- 
        Greg Troxel <gdt@ir.bbn.com>