I have 4.3 (clean install from CDs) running on a pair of Intel servers that will
serve as a CARP firewall. The 2 servers each have a separate interface which I
am using for pfsync with a crossover cable. I have added a group name to the
pfsync interface called "pfsyncif".
If I add a "set skip on pfsyncif" to my pf.conf, the pfsync traffic is still
blocked by pf (seen in tcpdump of pflog0). If I use the actual interface name
(i.e. "set skip on em3"), the "set skip" works perfectly and my pfsync traffic
is not blocked.
I can see the group name in the output of ifconfig:
# ifconfig em3
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:48:87:c6:b9
description: pfsync interface
groups: pfsyncif
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 192.168.7.2 netmask 0xffffff00 broadcast 192.168.7.255
inet6 fe80::230:48ff:fe87:c6b9%em3 prefixlen 64 scopeid 0x4
I am trying to use group names for my interfaces so that I can use the same
pf.conf on multiple firewalls even if they have different hardware for the devices.
Am I missing something or does this just not work this way?
Thanks,
- Aner
