[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: benefits of 'set state-policy if-bound'



On Mon, Sep 12, 2005 at 09:24:23AM +0200, Cedric Berger wrote:
<snip>
> and because "pfctl -ss" will show the interface, which is very helpful.
Indeed.  The more information I have to help debug any potential issues,
the better.
> >Whether or not these are true or complete is open to debate...
> >
> >Because this particular deployment will have significantly more
> >interfaces, rules, hosts and traffic flows, suddenly using if-bound
> >seems like it might be overkill. 
> >
> if-bound will not be slower than floating, so I don't think it's overkill.
Really?  My thinking was that because state would be kept on all
interfaces that the packet in question traverses, and each state entry
requires memory and system resources, that more resources would be
required.  I'd be surprised if this meant 2x the memory.
> >What benefits, aside from the ones above, does an if-bound state-policy
> >provide?  What about the opposite?  What benefits does a floating state
> >policy provide?
> > 
> >
> There is only two scenarios when you don't want to use if-bound, and want
> to use floating states:
>    a) if your routing environment can change dynamically,  and you've a 
> state
>       that should migrate from one interface to another.
>    b) if you use asymmetric routing.
> 
> If any of these conditions is true, you should use floating states.
> Otherwise, I would use if-bound states.
Neither of these conditions are true for me.  I've initially started
using the advice that Greg gave me using a "catchall" rule with tags to
allow packets out that have come in and were tagged via specific rules.  
-jon