Paul B. Henson(hen...@acm.org) on 2020.06.07 15:23:16 -0700:
> On 6/5/2020 11:15 PM, obs...@loopw.com wrote:
>
> >1) ???egress??? can be used to reference the external nic in a rule,
> >instead of having a specific IP. Egress is defined as the nic with
> >the default route. pass in quick log on egress inet proto tcp to
> >(egress) port 22
>
> Ah, I think I seen that in the past but did not remember it offhand.
> Thanks; although these boxes run OSPF and the default route changes
> depend on the network state, so I'm not sure that this would work.
Depending on what you are doing, you can also use interface groups to refer
to interfaces, and if you put only one interface into a unique group, you
can thereby refer in pf to a single interface by its group.
That way different interfaces that server the same function on your two
systems can still be used with an identical ruleset.
>
> >2) Both of the firewall IP addresses can be in a rule if egress is
> >not suitable for your topology, something like this will sync over
> >cleanly with pfsync: pass in quick log on $ext_if inet proto tcp to {
> >$fw1_ext $fw2_ext } port 22
>
> I thought about doing that, but I ended up just making a table with a
> single IP address in it, each router having the appropriate IP address
> in the table, and the rule referencing the table being exactly the same
> on both. Everything is working properly now.
Or use groups again.
> I do still wonder if this requirement is documented anywhere? I've been
> looking, and could not find it. It was very confusing trying to sort out
> why my states were mysteriously disappearing, I ended up having to add
> some extra debugging code in the kernel to figure out what was happening.
This is indeed not very well documented, if at all.
Maybe you can create a diff for the pfsync(4) manpage?
/Benno
