Date: Fri, 1 Aug 2008 12:31:07 -0500 From: "David DeSimone" <fox@verio.net> To: <freebsd-pf@freebsd.org> Subject: Re: need help with keep state and shaping Message-ID: <20080801173107.GC13898@verio.net> In-Reply-To: <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt> References: <51307.88.119.128.115.1217227945.squirrel@mx.agservice.lt> <64686.88.119.128.115.1217400195.squirrel@mx.agservice.lt> <1217406136.31805.6.camel@buchtajz> <50928.88.119.128.115.1217406553.squirrel@mx.agservice.lt> <56637.88.119.128.115.1217585235.squirrel@mx.agservice.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 news@topocentras.lt <news@topocentras.lt> wrote: > > What difference in state-policy floating and if-bound? "if-bound" means that the state becomes bound to the particular interfaces over which traffic was flowing at the start of the connection (when state is created). If your interfaces have hard assignments that don't change, and your routing table is static, this is the most secure choice. It means that traffic which suddenly starts coming in or going out a different interface than it used to, will no longer match the state, and therefore will be dropped. The "floating" state does not have this restriction, and traffic can come in or go out any interface and it will still be matched. > If i am using tagging for incoming and outgoing traffic? Which policy > I need to use? The policy you choose depends on how dynamic your interface and routing environment are. For instance, if you had multiple ISP's and use a routing protocol to choose dynamically between them, you would want the "floating" policy. Likewise, if you use PPP or other types of tunnels which go up and down, you will want "floating." Otherwise, choose "if-bound" for security reasons. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIk0hbFSrKRjX5eCoRAl8qAJ0Z23RD25cHiy6anw3A7NW7+88qewCfcRd7 H2Th1ZZAraXLgQ+G3G+r/T0= =+noD -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080801173107.GC13898>