Project

General

Profile

Actions

Todo #15173

closed

Add global option to set default PF State Policy (if-bound vs floating)

Added by Jim Pingle 10 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default

Description

PF now has an option to set the default state policy to either floating (the current PF and OS default) or interface-bound states.

  • Interface Bound States are more strict and secure. States are bound to specific interfaces by their OS/driver name (e.g. igcX). If a packet attempts to takes an path through a different interface than the one to which it is bound, the packet is dropped. This policy is less likely to allow VPN or other traffic to egress via unexpected paths (e.g. during interface events).
  • Floating States are less secure, more lenient in their checks, and are not strictly associated with any interface. The interface is tracked in state properties, but it informational and not enforced. This policy allows HA nodes with different hardware to utilize state synchronization. It is also more forgiving of certain asymmetric routing scenarios. However, this relaxed policy may allow connections to be misdirected or take unexpected paths if the routing table can be manipulated.
  • There is no difference in the ability to view or kill states between either mode.

Previous versions of pfSense software had been using a policy that was closer to if-bound and that behavior has several desirable traits, but floating also has some advantages, though it's less secure in some ways. Since pfSense software does not directly configure the option, it was following the OS default and switched to floating states, likely around the switch to a FreeBSD 14 base.

Since both methods have valid use cases and both methods appear to work fine in limited testing so far, we should add an option to allow the user to select between them. Since if-bound is more secure, it should become the default. There should be text similar to above, and in the docs eventually, warning about potentially lowered security with floating.

N.B. Some references to interface-bound state behavior have been recently removed from the docs since the default in PF changed to floating. When adding docs for this option, those notes should be restored and xref to this option.

Patch for testing is attached, it should apply to either CE or Plus (dev snapshots and current releases)


Files

statepolicy.patch (4.7 KB) statepolicy.patch Jim Pingle, 01/18/2024 06:15 PM

Related issues

Related to Feature #15183: Add per-rule option to set PF State Policy (if-bound vs floating)ResolvedJim Pingle

Actions
Related to Todo #15220: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policyResolvedKristof Provost

Actions
Related to Bug #12630: States are always created on the default gateway interface.Not a Bug

Actions
Related to Regression #13420: TCP traffic sourced from the firewall can only use the default gatewayResolvedKristof Provost

Actions
Actions #2

Updated by Jim Pingle 10 months ago

  • File deleted (statepolicy.patch)
Actions #4

Updated by Jim Pingle 10 months ago

  • Private changed from Yes to No
Actions #5

Updated by Jim Pingle 10 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Jim Pingle 10 months ago

  • Subject changed from Add option to set default PF State Policy (if-bound vs floating) to Add global option to set default PF State Policy (if-bound vs floating)
Actions #7

Updated by Jim Pingle 10 months ago

  • Related to Feature #15183: Add per-rule option to set PF State Policy (if-bound vs floating) added
Actions #8

Updated by Marcos M 10 months ago

  • Related to Todo #15220: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policy added
Actions #9

Updated by Marcos M 10 months ago

  • Related to Bug #12630: States are always created on the default gateway interface. added
Actions #10

Updated by Marcos M 10 months ago

  • Related to Regression #13420: TCP traffic sourced from the firewall can only use the default gateway added
Actions #11

Updated by Marcos M 9 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF