On 6/5/2020 11:15 PM, obs...@loopw.com wrote:
1) “egress” can be used to reference the external nic in a rule,
instead of having a specific IP. Egress is defined as the nic with
the default route. pass in quick log on egress inet proto tcp to
(egress) port 22
Ah, I think I seen that in the past but did not remember it offhand.
Thanks; although these boxes run OSPF and the default route changes
depend on the network state, so I'm not sure that this would work.
2) Both of the firewall IP addresses can be in a rule if egress is
not suitable for your topology, something like this will sync over
cleanly with pfsync: pass in quick log on $ext_if inet proto tcp to {
$fw1_ext $fw2_ext } port 22
I thought about doing that, but I ended up just making a table with a
single IP address in it, each router having the appropriate IP address
in the table, and the rule referencing the table being exactly the same
on both. Everything is working properly now.
I do still wonder if this requirement is documented anywhere? I've been
looking, and could not find it. It was very confusing trying to sort out
why my states were mysteriously disappearing, I ended up having to add
some extra debugging code in the kernel to figure out what was happening.
Thanks…
