Todo #15173
closed
Add global option to set default PF State Policy (if-bound vs floating)
100%
Description
PF now has an option to set the default state policy to either floating (the current PF and OS default) or interface-bound states.
- Interface Bound States are more strict and secure. States are bound to specific interfaces by their OS/driver name (e.g. igcX). If a packet attempts to takes an path through a different interface than the one to which it is bound, the packet is dropped. This policy is less likely to allow VPN or other traffic to egress via unexpected paths (e.g. during interface events).
- Floating States are less secure, more lenient in their checks, and are not strictly associated with any interface. The interface is tracked in state properties, but it informational and not enforced. This policy allows HA nodes with different hardware to utilize state synchronization. It is also more forgiving of certain asymmetric routing scenarios. However, this relaxed policy may allow connections to be misdirected or take unexpected paths if the routing table can be manipulated.
- There is no difference in the ability to view or kill states between either mode.
Previous versions of pfSense software had been using a policy that was closer to if-bound and that behavior has several desirable traits, but floating also has some advantages, though it's less secure in some ways. Since pfSense software does not directly configure the option, it was following the OS default and switched to floating states, likely around the switch to a FreeBSD 14 base.
Since both methods have valid use cases and both methods appear to work fine in limited testing so far, we should add an option to allow the user to select between them. Since if-bound is more secure, it should become the default. There should be text similar to above, and in the docs eventually, warning about potentially lowered security with floating.
N.B. Some references to interface-bound state behavior have been recently removed from the docs since the default in PF changed to floating. When adding docs for this option, those notes should be restored and xref to this option.
Patch for testing is attached, it should apply to either CE or Plus (dev snapshots and current releases)
Files
Related issues
Updated by Jim Pingle 10 months ago
Updated by Jim Pingle 10 months ago
- File statepolicy.patch statepolicy.patch added
Updated by Jim Pingle 10 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 7fedaae5775b9fb58dea7a71afce6d7c3ba062f9.
Updated by Jim Pingle 10 months ago
- Subject changed from Add option to set default PF State Policy (if-bound vs floating) to Add global option to set default PF State Policy (if-bound vs floating)
Updated by Jim Pingle 10 months ago
- Related to Feature #15183: Add per-rule option to set PF State Policy (if-bound vs floating) added
Updated by Marcos M 10 months ago
- Related to Todo #15220: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policy added
Updated by Marcos M 10 months ago
- Related to Bug #12630: States are always created on the default gateway interface. added
Updated by Marcos M 10 months ago
- Related to Regression #13420: TCP traffic sourced from the firewall can only use the default gateway added