Hi all, I've been using pf for over five years and I think it is great. So first, a big thanks to all developers! :-)
Then, a question on states. Is it generally in some way more secure to use only "if-bound" states? I have done that until now, as it kind of feels more secure. I ask this because now that I got new hardware, with 3 interfaces connected to internet, I would like to use 2 of the interfaces as binat to two of the hosts in my LAN. The third interface is regular nat for all other hosts. However, I noticed that with if-bound state policy, incoming traffic to a binat'ed host creates a state that doesn't match the reply packet coming from the host (see the mail to m...@openbsd.org below, and a similar question from someone else in 2007 which seems unanswered), and the (reply-to) routing is not done, causing a drop because of routing towards a wrong default route. Sessions initiated by the binat host work fine and are routed correctly, the problem is the incoming connections. Besides just using "keep state (floating)", would it make sense to add a way to define the interfaces explicitly that will point to the state, e.g. "keep state (em0, re0)"? Maybe I could experiment with that if you don't tell me that it is absolutely unnecessary or insecure and I should do something else instead :-) Teemu Begin forwarded message: > From: Teemu Rinta-aho <te...@rinta-aho.org> > Date: June 8, 2010 9:33:29 PM GMT+03:00 > To: m...@openbsd.org > Subject: Re: pf: how to apply route-to for packets matching states? >> Packet comes in on em1, reply should be routed to em1, but it is >> still blocked on em0. > > Got it working by adding "keep state (floating)" to the rule. > > http://kerneltrap.org/mailarchive/openbsd-misc/2007/7/14/152333