Project

General

Profile

Actions
Copy link

Feature #15183

closed

Add per-rule option to set PF State Policy (if-bound vs floating)

Added by Jim Pingle 3 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Rules / NAT
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default

Description

Now that #15173 is in place it would be helpful to have a per-rule option to set state policy between default, if-bound, and floating.

This would work similar to the current "State Type" option but separate from that. Both policy and type can be set at the same time. Combining the options would be confusing.

The option should be named "State Policy", go directly above "State Type", and have three choices in a selection list drop-down:

  • "" (empty/unset): Default - Use current global default policy
  • "if-bound": Interface Bound - Packets matching states created by this rule can only pass on this interface (more secure)
  • "floating": Floating - Packets matching states created by this rule can pass on any interface (more lenient)

Help text can lightly summarize the behavior and link to system_advanced_firewall.php and note to see option "Firewall State Policy" there for full details.

When crafting rules, it should be set similar to sloppy and other $aline['flags'] entries (~Line 3597 on CE, 3660 on Plus)

See #15173 for more info.

Related issues

Related to Todo #15173: Add global option to set default PF State Policy (if-bound vs floating)ResolvedJim Pingle

Actions
Actions
Copy link
 #1

Updated by Jim Pingle 3 months ago

  • Status changed from New to In Progress
Actions
Copy link
 #2

Updated by Jim Pingle 3 months ago

Note when testing that the OS default is floating, thus when inspecting rules output by pfctl -sr the word "floating" will not appear. If the rule has no listed policy in pfctl -sr, it's using floating. The global default does not affect this at all, it's only influenced by the OS default.

When a rule uses if-bound, however, that will always appear, for the same reason (it always differs from the OS default).

Actions
Copy link
 #3

Updated by Jim Pingle 3 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Jim Pingle 3 months ago

  • Related to Todo #15173: Add global option to set default PF State Policy (if-bound vs floating) added
Actions
Copy link
 #5

Updated by Alhusein Zawi 3 months ago

Firewall State Policy option is added:

pfctl -sr results:

interface bound state:
pass in quick on em0 reply-to (em0 10.100.100.1) inet all flags S/SA keep state label "USER_RULE: test" label "id:1706381909" ridentifier 1706381909

floating state:
pass in quick on em0 reply-to (em0 10.100.100.1) inet all flags S/SA keep state (if-bound) label "USER_RULE: test" label "id:1706381909" ridentifier 1706381909

2.8.0.a.20240126.0600

Actions
Copy link
 #6

Updated by Alhusein Zawi 3 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF