Diagnostics / States
-
Hi
I'm using 2.8.0.b.20250414.1837
When I check in Diagnostics / States and use a filter expression, i can only find states when the interface is set to all.
If I use any other interface nothing will show up.
It's regardless what the expression is set to, like tcp, udp, icmp or a specific ip.
-
@steve72 Could you capture a screenshot showing results—and then another showing a filter they should be hitting on but with no actual results listed?
-
Sure.
-
If you have the default state policy set to "Floating" or you have traffic hitting stateful rules with their policy set to "Floating" then the interface on the state is actually "all" and will only match "all".
If you use interface-bound states then you will see most traffic having an interface in the states list, though some things (like IPsec VTI traffic) will still use floating states in certain cases and those states will still have an interface of "all".
-
Ok, thanks for the reply.
I have Firewall State Policy set to floating in System / Advanced / Firewall & NAT. I haven't made any changes in the setting when upgrading from 2.7.2 CE to this new beta. All firewall rules use the global default, i.e. floating state.
I have several interfaces configured and have always been able to watch the traffic on the separate interfaces, mostly to confirm that my rules are working as they should.
I have a spare device i can run 2.7.2 CE on and restore my old settings on try to compare what's different.
-
I have checked old config files from 2.7.2 CE, there the default policy state is set to floating.
<statepolicy><![CDATA[floating]]></statepolicy>
When i check the docs, Docs:
State Policy History
From pfSense Plus software version 22.01/CE 2.6.0 until pfSense Plus software version 23.09.1/CE 2.7.2 the behavior was closer to “floating”.
Starting with pfSense Plus software version 24.03/CE 2.8.0 the default is explicitly set to “interface bound” for increased security.
So, there seems to be something that have changed regarding state policy implementation?
I've changed to Interface Bound States on the 2.8.0 Beta and now it looks and behaves like it did before regarding showing and filtering states.
-
More likely you had the system patches package installed and applied on 2.7.2 and had set it to Floating there. Otherwise it wouldn't have had any setting in your configuration file.
-
