Hello,
</snip>
>
> > For ICMP requests story goes like this:
> >
> > 192.168.10.3 -> 172.16.1.10 @ inbound
> > 192.168.10.3 -> 172.16.1.10 @ outbound
> >
> > for ICMP replies:
> > 172.16.1.10 -> 192.168.10.3 @ inbound
> > 172.16.1.10 -> 192.168.10.3 @ outbound
> >
> > Now it should become obvious your firewall is missing state, which
> > allows
> > replies. There is no state, which allows inbound ICMP reply, and there
> > is
> > no such rule, which allows inbound ICMP rule.
>
> I see now. The state-policy=floating mislead me into believing that the
> state table was global. Thank you for explaining.
>
> But then, what is the real difference betwttn if-bound and global?
>
assuming we talk about if-bound vs. floating state policy.
you have to note the packet direction and interface as two different
attributes to match.
If you enable if-bound state match policy then PF continues to
check for direction where packet is traveling (@inbounc vs. @outbound),
furthermore PF also requires the packet to be seen on the interface,
where PF saw packet, which has created the state.
floating relaxes the requirement such interface is omitted, think of packet
may match any/all interfaces, but must travel in expected direction.
to be honest I don't know at top of my head, what is a good/typical
use-case for if-bound state policy. I assume those set-ups must be
rare/special.
regards
sashan
