Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Aug 2008 12:31:07 -0500
From:      "David DeSimone" <fox@verio.net>
To:        <freebsd-pf@freebsd.org>
Subject:   Re: need help with keep state and shaping
Message-ID:  <20080801173107.GC13898@verio.net>
In-Reply-To: <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt>
References:  <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

news@topocentras.lt <news@topocentras.lt> wrote:
>
> What difference in state-policy floating and if-bound?

"if-bound" means that the state becomes bound to the particular
interfaces over which traffic was flowing at the start of the connection
(when state is created).  If your interfaces have hard assignments that
don't change, and your routing table is static, this is the most secure
choice.

It means that traffic which suddenly starts coming in or going out a
different interface than it used to, will no longer match the state, and
therefore will be dropped.

The "floating" state does not have this restriction, and traffic can
come in or go out any interface and it will still be matched.

> If i am using tagging for incoming and outgoing traffic?  Which policy
> I need to use?

The policy you choose depends on how dynamic your interface and routing
environment are.  For instance, if you had multiple ISP's and use a
routing protocol to choose dynamically between them, you would want the
"floating" policy.  Likewise, if you use PPP or other types of tunnels
which go up and down, you will want "floating."  Otherwise, choose
"if-bound" for security reasons.

- -- 
David DeSimone == Network Admin == fox@verio.net
"This email message is intended for the use of the person to whom
 it has been sent, and may contain information that is confidential
 or legally protected.  If you are not the intended recipient or have
 received this message in error, you are not authorized to copy, dis-
 tribute, or otherwise use this message or its attachments.  Please
 notify the sender immediately by return e-mail and permanently delete
 this message and any attachments.  Verio, Inc. makes no warranty that
 this email is error or virus free.  Thank you."  --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFIk0hbFSrKRjX5eCoRAl8qAJ0Z23RD25cHiy6anw3A7NW7+88qewCfcRd7
H2Th1ZZAraXLgQ+G3G+r/T0=
=+noD
-----END PGP SIGNATURE-----


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080801173107.GC13898>