Hi Claudio! On Mon, May 2, 2022 at 9:24 AM Claudio Jeker <[email protected]> wrote: > You have asymetric routing and with that stateful firewall rules will > cause you problems. In your case gw1 will block the ICMP reply because it > never encountered the ICMP request matching that reply.
I do have pfsync on the hosts, so the state table is syncronised. Do you not use pfsync at all? > On most of my BGP routers I have either pf disabled or I write the ruleset > so that only local traffic is stateful but all forwarded traffic uses a > no-state rule. IIRC even sloppy-state tracking will block some traffic > that's why I avoid that option. Interesting. Would you be willing to share your rules (or at least a redacted version) off-list, as a real example of how you do this? Thanks! Ian
