AdSchellevis
commented
6 years ago @commonism we'll add an option, sounds reasonable to me. If I can find some time around the weekend, I'll prepare a patch.
Closed commonism closed 6 years ago
AdSchellevis
commented
6 years ago @commonism we'll add an option, sounds reasonable to me. If I can find some time around the weekend, I'll prepare a patch.
AdSchellevis
commented
6 years ago @commonism as promised, https://github.com/opnsense/core/commit/09a13913ec94040f3f15f49306aa789904f5c481 adds an option in the advanced section.
Hi,
default pf connection tracking ignores the interface, this state-policy is called "floating".
For transparent bridges this does not work if multiple networks share the same firewall, as the "allowed outgoing packet" from network 1.1.1.0/24 creates a state which is used to allow the packet to enter network 2.2.2.0/24 - without evaluating any rules of the associated interfaces, as there is a state.
Imagine IIF and OIF to be on the same pfsense machine - even if the drawing can be read otherwise.
With netgate/pfsense they choose to remove the functionality to evaluate the state-policy from kernel. While it does not fix the issue, it adds a lot to the principle of least surprise. It is surprise to see rules to be if-bound when dumping, but not having any form of changed behaviour.
if-bound can be a per-rule option or set globally. I think both options can be valid at times. For now I could live with a standardized but cheap way to smear a
to the head of rules.debug.