[CyBerHigh]

Is there some sort of me statment. Where me referse to the IP address that is being used by that particular device. Like lets say we have xl0 with the ip of 192.168.0.33 why do I need to type in that ip? What about dynamic networks where dhcp is used instead of static ips. THis could become a problem IMO.

could I just use the from any to any and be just as secure?

[Scorpions4ever]

You shouldn't need to. ipf allows you to also type the name of the interface (in your case xl0). e.g.
pass out quick on xl0 blah blah blah

Also, see this:
http://www.phildev.net/ipf/IPFques.html#ques9
and this:

[CyBerHigh]

well what I mean is something like

pass out on xl0 proto tcp from 192.168.0.33 to any keep state

the above will work if my ip was 192.168.0.33 however if it changes because on my network I use dhcp it could cause a problem. So should I use that 0/32 thing in your last post? or should I just use any to any.

Also can I use that ftp proxy built into ipf if I am not using the firewall for nating. This is for the firewall script on my server. I am switching from iptables in linux to ipf on freebsd.

[Scorpions4ever]

Actually, here's a better way to do it. Most dhcp clients call /etc/dhclient-exit-hooks when a new lease is obtained (Create one, if it doesn't exist for you). This is a shell script and you can run a program to generate a new ipf rule file and reload ipf. Read man dhclient-script for more info on how this mechanism works. dhclient-script ends up calling dhclient-exit-hooks on the way out. Something like this ought to do it:

Code:

#!/bin/sh
IP=`ifconfig xl0 | grep "inet\ " | awk '{print $2}'`

if [ $IP = "0.0.0.0" ]; then
	# Interface not yet configured. Just exit
	exit 0
fi

# Run rule build here
/usr/local/bin/rulebuild.pl $IP

# Now reload ipf