[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: benefits of 'set state-policy if-bound'
Jon Hart wrote:
Greetings,and because "pfctl -ss" will show the interface, which is very helpful.
I'm in the middle of deploying my largest and most complex OpenBSD+pf
setup yet and I'm starting to question the way I've done things in the
I've been using an if-bound state-policy for quite some time. My
reasoning up to this point was that I believed:
1) if-bound provided a tighter ruleset. A packet would never come in
on or go out on an interface unless I explicitly said so.
2) if-bound made debugging any problems much easier because of '1'
Whether or not these are true or complete is open to debate...if-bound will not be slower than floating, so I don't think it's overkill.
Because this particular deployment will have significantly more
interfaces, rules, hosts and traffic flows, suddenly using if-bound
seems like it might be overkill.
What benefits, aside from the ones above, does an if-bound state-policyThere is only two scenarios when you don't want to use if-bound, and want
provide? What about the opposite? What benefits does a floating state
to use floating states:
a) if your routing environment can change dynamically, and you've a
that should migrate from one interface to another.
b) if you use asymetric routing.
If any of these contitions is true, you should use floating states.
Otherwise, I would use if-bound states.