[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

benefits of 'set state-policy if-bound'



Greetings,
I'm in the middle of deploying my largest and most complex OpenBSD+pf
setup yet and I'm starting to question the way I've done things in the
past.
I've been using an if-bound state-policy for quite some time.  My
reasoning up to this point was that I believed:
   
   1) if-bound provided a tighter ruleset.  A packet would never come in
      on or go out on an interface unless I explicitly said so.
   2) if-bound made debugging any problems much easier because of '1'
Whether or not these are true or complete is open to debate...
Because this particular deployment will have significantly more
interfaces, rules, hosts and traffic flows, suddenly using if-bound
seems like it might be overkill. 
What benefits, aside from the ones above, does an if-bound state-policy
provide?  What about the opposite?  What benefits does a floating state
policy provide?
In terms of numbers of rules that must be evaluated, if there are
N traffic flows that must be controlled, a floating state-policy will
require (approximately) N rules whereas an if-bound state-policy will
require (approximately) 2N rules.  Does this actually make a difference
in terms of pf performance?
The same thing obviously applies to ruleset complexity.  N rules for
floating, 2N rules for if-bound.
I suppose one thing that one would definitely have to look out for is
the number states that are allowed to be created -- an if-bound policy
would, I think, create a state per interface that the packets traverse,
meaning that a typical WAN + LAN configuration would create two states
for a connection that starts on the LAN and goes to the WAN.
My gut is to go with if-bound since thats what I've always done.
However, I still don't fully understand the disadvantages of if-bound
and the advantages of floating (or group-bound), so I could be convinced
otherwise.
Any input would be much appreciated!
-jon