From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 13:48:53 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E689106566B for ; Sat, 21 Jul 2012 13:48:53 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id EFA6F8FC0A for ; Sat, 21 Jul 2012 13:48:52 +0000 (UTC) Received: (qmail 26365 invoked by uid 88); 21 Jul 2012 13:48:52 -0000 Received: from unknown (HELO ?82.143.55.19?) (tonix@interazioni.it@82.143.55.19) by relay.interazioni.net with ESMTPA; 21 Jul 2012 13:48:51 -0000 Message-ID: <500AB340.2040405@interazioni.it> Date: Sat, 21 Jul 2012 15:48:48 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Greg Hennessy References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 13:48:53 -0000 Il 20/07/2012 02:44, Greg Hennessy ha scritto: > For PF I would tend to filter in the ingress interface, tag flows passed by policy and put a generic pass rule on the egress interface permitting the tagged flow. > > The only exception would be assignment of specific flows for shaping. Please see answer on other thread. If PF evaluates rules all together, there would be no security difference on using IN or OUT rules. Or does PF not evaluates all rules in configuration file in same phase? Regards, Tonino > > > Greg > > >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) >> Sent: Friday, 20 July 2012 1:25 AM >> To: freebsd-pf@freebsd.org >> Subject: Question on packet filter using in and out interfaces >> >> I have a basic question is on usage of 'in' or 'out' interfaces, on >> practical usage. >> >> I'm having some talks in PFsense mailing list, and I'm saying there is >> no security difference about using rulesets on output interfaces or on >> input interfaces, as PF is evaluating all rules in the same phase. >> >> At the opposite, I'm told all 'in' rules are evaluated first, than there >> is a routing phase, then the 'out' rules are finally evaluated, so it >> is more secure to have only filters on 'in' interfaces. >> >> Which is the real situation? Does really Packet Filter has any security >> advantage having only 'in' rules, or there is no difference on using out >> interface instead of in interface? >> >> All start from consideration that using out interfaces would semplify a >> lot management of complex environments, with interfaces dedicated to >> different customers (one OUT rule on specific interface instead of >> several IN rules on all other interfaces). >> >> Thanks for any clear answer you can give. >> >> Regards, >> >> Tonino >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------