Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: jared r r spiegel (jrrsice-nine.org)
Date: Fri Aug 22 2008 - 09:46:13 CDT
On Fri, Aug 22, 2008 at 04:16:38PM +0200, Harald Dunkel wrote:
> Hi folks,
> Question: How can I make sure that "em2" doesn't become "em0"
> if my dual-port NIC dies? This would be fatal for my firewall
> setup. At least the antispoof rules _must_ be bound to the
> network devices.
first thing that comes to mind is to create unique interface
groups for each iface and then write pf based on that.
you'll still have to deal with the fallout after reboot
after a failure, but at least if the hardware for whatever
reason did happen to disappear during operation, you'd
be insulated against the immediate change (tho maybe pf
already handles that)
other than that, assuming the PCI locations or whatever
stay consistent through reboots (like, put 3 nics in, boot,
see where they are, pull the middle one, see if 1 and 3 are
still at the same points in dmesg even tho their ifnums
will change), you could maybe break apart the 'em* at pci*'
(or whatever it is) in config(8) and make individual ones
based on where you want them. if that doesn't work in
config(8) you probably have to make your own kernel.
so you could do a little work and get a marginal benefit
or spend a (potentially *LOT*) lot more time and force
barring any better suggestions, of course.