So you're saying I need to explicitly pass traffic to $carpdevs too?
Would that let me ssh into the carp interface then?
On Sun, Oct 19, 2008 at 2:52 PM, Bryan Irvine <[EMAIL PROTECTED]> wrote:
> <snip>
>
>> # pass rules
>> block in
>> pass out keep state
>> pass in inet proto icmp all icmp-type $icmp_types keep state
>> pass in quick on $int_if
>> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>> port $tcp_services flags S/SA keep state
>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
>> flags S/SA synproxy state
>> pass on $carpdevs proto carp keep state
>> pass quick on $ext_if proto carp \
>> from $ext_if:network to $carp_mcast keep state
>> pass on $syncdev proto pfsync
>> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
>> antispoof quick for { lo $int_if }
>
> <snip>
>
> you've blocked in and then explicitly passed traffic only to $ext_if.
>
> -B
