Hi guys, I read on the OpenBSD PF's FAQ this statement: Ruleset Tips
Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So, write your rule sets accordingly. Don't forget that an interface name in a PF rule can be either the name of a physical interface or an address associated with that interface. For example, this rule could be correct: pass in on fxp0 inet proto tcp from any to carp0 port 22 but replacing the fxp0 with carp0 would not work as you desire. I would ask if using the group names instead of the physical interface has some draw backs, cause i find it easier to understand. I'm also giving the same group name to the carp interface so i can see all my IPs with ifconfig "group_name". Am I missing something abvious? Thanks -- Massimo
