Hello, I'd like to make a change to my firewall/router from the default state-policy floating to if-bound
I believe the way my pf.conf is configured it will not do any harm but I'm being cautious here and I'd like some info. The way I see it, I have two states for each packet traveling either direction of the firewall. One on the incoming interface and one on the outgoing interface for each packet. Each state is floating (pfctl -ss gives all) I filter always on the incoming interface, apply a tag and pass on the outgoing interface everything that matches the tag. One tag for packets coming from internet and a different tag for packets coming from my internal network to the internet. I believe that if all my filtering is like above then changing the default policy will work without any further changes in pf.conf I don't understand why floating is the default. I mean, even with floating states, each state has a direction in/out, thus the same state cannot be applied to multiple interfaces (incoming/outgoing) and a different (floating) state is created on each interface. There must be a case I'm missing here. Maybe multipath routing? regards, Giannis
