[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: benefits of 'set state-policy if-bound'

Jon Hart wrote:


I'm in the middle of deploying my largest and most complex OpenBSD+pf
setup yet and I'm starting to question the way I've done things in the

I've been using an if-bound state-policy for quite some time. My
reasoning up to this point was that I believed:
1) if-bound provided a tighter ruleset. A packet would never come in
on or go out on an interface unless I explicitly said so.

2) if-bound made debugging any problems much easier because of '1'

and because "pfctl -ss" will show the interface, which is very helpful.

Whether or not these are true or complete is open to debate...

Because this particular deployment will have significantly more
interfaces, rules, hosts and traffic flows, suddenly using if-bound
seems like it might be overkill.

if-bound will not be slower than floating, so I don't think it's overkill.

What benefits, aside from the ones above, does an if-bound state-policy
provide? What about the opposite? What benefits does a floating state
policy provide?

There is only two scenarios when you don't want to use if-bound, and want
to use floating states:
a) if your routing environment can change dynamically, and you've a state
that should migrate from one interface to another.
b) if you use asymetric routing.

If any of these contitions is true, you should use floating states.
Otherwise, I would use if-bound states.