From: jared r r spiegel (jrrsice-nine.org)
Date: Fri Aug 22 2008 - 09:46:13 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 22, 2008 at 04:16:38PM +0200, Harald Dunkel wrote:
> Hi folks,
>
> Question: How can I make sure that "em2" doesn't become "em0"
> if my dual-port NIC dies? This would be fatal for my firewall
> setup. At least the antispoof rules _must_ be bound to the
> network devices.

  first thing that comes to mind is to create unique interface
  groups for each iface and then write pf based on that.

  you'll still have to deal with the fallout after reboot
  after a failure, but at least if the hardware for whatever
  reason did happen to disappear during operation, you'd
  be insulated against the immediate change (tho maybe pf
  already handles that)

  other than that, assuming the PCI locations or whatever
  stay consistent through reboots (like, put 3 nics in, boot,
  see where they are, pull the middle one, see if 1 and 3 are
  still at the same points in dmesg even tho their ifnums
  will change), you could maybe break apart the 'em* at pci*'
  (or whatever it is) in config(8) and make individual ones
  based on where you want them. if that doesn't work in
  config(8) you probably have to make your own kernel.
  
  so you could do a little work and get a marginal benefit
  or spend a (potentially *LOT*) lot more time and force
  things specifically.

  barring any better suggestions, of course.

--

  jared

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]