From owner-freebsd-pf@freebsd.org Mon Jun 25 20:14:58 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1433101D80D for ; Mon, 25 Jun 2018 20:14:57 +0000 (UTC) (envelope-from jbwlists@hilltopgroup.com) Received: from equinox.hilltopgroup.com (equinox.hilltopgroup.com [204.109.63.175]) by mx1.freebsd.org (Postfix) with ESMTP id 845578BD1F for ; Mon, 25 Jun 2018 20:14:57 +0000 (UTC) (envelope-from jbwlists@hilltopgroup.com) Received: from mail.relativity.hilltop.int (unknown [104.185.205.155]) by equinox.hilltopgroup.com (Postfix) with ESMTP id EA70B37BDEE for ; Mon, 25 Jun 2018 16:14:50 -0400 (EDT) Received: from sovereign.sector005 (equinox.hilltopgroup.com [204.109.63.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jbwlists@hilltopgroup.com) by mail.relativity.hilltop.int (Postfix) with ESMTPSA id 8CCF81668D for ; Mon, 25 Jun 2018 16:14:50 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hilltopgroup.com; s=mail; t=1529957690; bh=FUS91AmbkyFQlEZGBwpkmBCtLSeuIwJ6/5ijxg35YQs=; h=To:From:Subject:Date; b=Sf7i52Bx8O4LEXzkWtb+xhJBVavKRDxockzeTg4UQQRZXT7m/O5Qfffumy9LnMLBQ WMtNM22ub91jvI3tOCXDGQvwsBJKKNEQ0/jVI35emMa987mZDbv8k0RFrjcSdol7lA Rh//M6e6JPlJUgvYM5L6xYSpxZT9Gf3nFZs610Gs= To: freebsd-pf@freebsd.org From: Joseph Ward Subject: "egress" group Message-ID: <1822764a-e237-ddd3-639d-62fd01b2bbdc@hilltopgroup.com> Date: Mon, 25 Jun 2018 16:12:49 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2018 20:14:58 -0000 My current pf.conf contains the following lines (with a lot of other stuff redacted for irrelevance): ext_if="em0" ... block log all pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state and it works great; ssh is able to get in.  However, when I change "$ext_if" to "egress", it no longer works.  From the various documentation I've found online, egress should automatically be the interface which has the default route, and netstat -rn gives me: Routing tables Internet: Destination        Gateway            Flags     Netif Expire default            192.168.6.1        UGS         em0 Am I missing something?  My goal is for this pf.conf to be able to be used on multiple systems which unfortunately have different network cards, so the interface names are different.  If "egress" isn't going to work, is there another way to accomplish that goal? Thanks, Joseph Ward