On Mon, Jan 24, 2005 at 11:04:07PM +0100, Per-Olov Sj�holm wrote: > Today I use "set state-policy floating". Which I assume is the default.
Yes, it's the default. > I am > not 100% sure what if-bound means as all sessions going through the fw has a > state per interface. if-bound means that a state entry will match packets only on the interface the state was created on. floating states can match packets on any interface. Sometimes, that's intended, like when you have multiple uplinks and dynamically change routing through them. > Where can I find more info about it than in "man > pf.conf" ? I don't know of any specific articles, but it must have been explained a couple of times on the mailing lists. Have you tried google? > B t w... can I use "(if-bound)" on just that rule containing "synproxy > state" ? Yes, there's the global default 'set state-policy' and you can use 'if-bound' as an option of 'keep state'. > And why have this behaviour changed from 3.5 to 3.6? > (I have read the link you sent, and you talk a lot about the loopback which > isn't the problem) People wanted the packets generated by synproxy (replaying the TCP handshake with the server) getting filtered by pf, so they can create state on internal interfaces. If one of the connection endpoints is the firewall itself, pf sees packets on loopback as well, see http://marc.theaimsgroup.com/?l=openbsd-tech&m=108914317421586&w=2 Daniel
