On Thu, May 18, 2006 at 06:32:37PM -0400, Chad M Stewart wrote: > Perhaps it is just my tired brain but it seems strange > that in other rules carp0 is used as the incoming interface.
Maybe Ryan can comment, from http://www.countersiege.com/doc/pfsync-carp/ "When writing the rest of the pf ruleset, it is important to keep in mind that from pf's perspective, all traffic comes from the physical interface, even if it is routed through the carp address. However, the address is of course associated with the carp interface. Therefore, in the interface context, such as "pass in on $extif ...", $extif would be the physical interface, but in the context of "from $foo" or "to $foo", the carp interface should be used, as it's being meant in the address context." Does this mean 'antispoof for carp0' is generally (always?) a mistake? As Chad showed, packets are seen by tcpdump on carp0, are they also filtered by pf on carp0 (i.e. twice, on carp0 and the real interface)? Has this changed in the past? Daniel