On 15/06/2023 17:17, Kapetanakis Giannis wrote: > Hello, > > I'd like to make a change to my firewall/router from the default state-policy > floating to if-bound > > I believe the way my pf.conf is configured it will not do any harm but I'm > being cautious here and I'd like some info. > > The way I see it, I have two states for each packet traveling either > direction of the firewall. > One on the incoming interface and one on the outgoing interface for each > packet. > Each state is floating (pfctl -ss gives all) > > I filter always on the incoming interface, apply a tag and pass on the > outgoing interface everything that matches the tag. > One tag for packets coming from internet and a different tag for packets > coming from my internal network to the internet. > > I believe that if all my filtering is like above then changing the default > policy will work without any further changes in pf.conf > > I don't understand why floating is the default. > I mean, even with floating states, each state has a direction in/out, thus > the same state cannot be applied to multiple interfaces (incoming/outgoing) > and a different (floating) state is created on each interface. > > There must be a case I'm missing here. Maybe multipath routing? > > regards, > > Giannis
After applying some keep state (if-bound) on major rules, I 've already found a problem. pfsync. It copies the interface. The interfaces are different on the backup firewall so the states will not match if I demote master. Anyway to overcome this? Maybe filtering with same group name that is the same on both firewalls? G
