> What if two systems being used as redundant firewalls had different network
> cards? This would make the names of the interfaces different, resulting in
> rule sets that were not the same, preventing per-rule state timeouts from
> being properly applied.
1) “egress” can be used to reference the external nic in a rule, instead of
having a specific IP. Egress is defined as the nic with the default route.
pass in quick log on egress inet proto tcp to (egress) port 22
2) Both of the firewall IP addresses can be in a rule if egress is not
suitable for your topology, something like this will sync over cleanly with
pfsync:
pass in quick log on $ext_if inet proto tcp to { $fw1_ext $fw2_ext } port 22
