Re: "egress" group
Thank you; I didn't even realize I could rename the interface. Part of the install script already has to deal with the varying interface names for rc.conf, so I'll just change the name there. The other suggestion, about adding the cards to a group would be about the same effort, but since I do have nat/rdr rules which are referencing the external interface it seems the groups wouldn't work, so renaming it is. Thanks again! -Joseph On 06/26/2018 02:32, Kristof Provost wrote: > > On 25 Jun 2018, at 22:12, Joseph Ward wrote: > > My current pf.conf contains the following lines (with a lot of other > stuff redacted for irrelevance): > > ext_if="em0" > ... > block log all > pass in on $ext_if proto tcp from any to any port 22 flags S/SA > keep state > > > and it works great; ssh is able to get in. However, when I change > "$ext_if" to "egress", it no longer works. From the various > documentation I've found online, egress should automatically be the > interface which has the default route, and netstat -rn gives me: > > ‘egress’ exists in OpenBSD’s pf, but not in FreeBSD. > > My goal is for this pf.conf to be able to be used on multiple systems > which unfortunately have different network cards, so the interface > names > are different. If "egress" isn't going to work, is there another > way to > accomplish that goal? > > You could rename your network card (ifconfig em0 name foo). That’d let > you hide the difference from pf (but you’d have to cope with it in > /etc/rc.conf) > > Regards, > Kristof > ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: "egress" group
Le Mon, 25 Jun 2018 16:12:49 -0400, Joseph Ward a écrit : Hello, > My goal is for this pf.conf to be able to be used on multiple systems > which unfortunately have different network cards, so the interface > names are different. If "egress" isn't going to work, is there > another way to accomplish that goal? You can use some interface groups. ifconfig_ix0="inet 192.168.20.251/24 group CARPDEV group IFFOO" then in pf.conf use the groups pass in on IFFOO ... or pass quick on CARPDEV proto carp keep state (no-sync) There are several restrictions, you can't use group interface in pf rules "set skip" and on nat/route-to rules. And the name of a group cannot end by a number (IFFOO1 -> invalid) But that's work fine, we use groups a lot here. Regards ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: "egress" group
On 25 Jun 2018, at 22:12, Joseph Ward wrote: My current pf.conf contains the following lines (with a lot of other stuff redacted for irrelevance): ext_if="em0" ... block log all pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state and it works great; ssh is able to get in. However, when I change "$ext_if" to "egress", it no longer works. From the various documentation I've found online, egress should automatically be the interface which has the default route, and netstat -rn gives me: ‘egress’ exists in OpenBSD’s pf, but not in FreeBSD. My goal is for this pf.conf to be able to be used on multiple systems which unfortunately have different network cards, so the interface names are different. If "egress" isn't going to work, is there another way to accomplish that goal? You could rename your network card (ifconfig em0 name foo). That’d let you hide the difference from pf (but you’d have to cope with it in /etc/rc.conf) Regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
"egress" group
My current pf.conf contains the following lines (with a lot of other stuff redacted for irrelevance): ext_if="em0" ... block log all pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state and it works great; ssh is able to get in. However, when I change "$ext_if" to "egress", it no longer works. From the various documentation I've found online, egress should automatically be the interface which has the default route, and netstat -rn gives me: Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.6.1 UGS em0 Am I missing something? My goal is for this pf.conf to be able to be used on multiple systems which unfortunately have different network cards, so the interface names are different. If "egress" isn't going to work, is there another way to accomplish that goal? Thanks, Joseph Ward ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
