From owner-freebsd-pf@FreeBSD.ORG Sun Oct 27 15:33:24 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4CC4694B for ; Sun, 27 Oct 2013 15:33:24 +0000 (UTC) (envelope-from telbizov@gmail.com) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1EAA52CF9 for ; Sun, 27 Oct 2013 15:33:24 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id x13so9515229ief.23 for ; Sun, 27 Oct 2013 08:33:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nG+MRojwK4KwNHqrLEE0OabKQpHPT6RxF1OwNOTRudc=; b=GwlrpTq+o5JkGDoLsXKge0Q00vGjqUKlRxG+knUCjaBydltXmm4vuiozMBBQIGlryX aBskEAEWmwiRVmOYVLVnogw86XQXyPgBL8uRanA1UlZyHHqV+jAuViTgKJryaA9I1pw9 hd5i36paYtd3lUcgEeInB6ZUWm0IHvtdsQxOzNP3FrZJmwK5HBPLChDlwlZabWhc/ydh WbQaPGpySV3OG0Ujd9deOWrpmFIf09QIXr/xtAYNI3NdSSoTIjf1CHLEdBRFRSIdyfkh EYsfRp6KRtP2hthTT5zm+YWuLHez/VZikBwPfgSxAZbW+JSOgO7p8ZGLagyx1ee/mWpu tP8Q== MIME-Version: 1.0 X-Received: by 10.43.129.197 with SMTP id hj5mr44405icc.84.1382888003268; Sun, 27 Oct 2013 08:33:23 -0700 (PDT) Received: by 10.50.2.101 with HTTP; Sun, 27 Oct 2013 08:33:23 -0700 (PDT) In-Reply-To: <201310270128.47766.vegeta@tuxpowered.net> References: <201310270128.47766.vegeta@tuxpowered.net> Date: Sun, 27 Oct 2013 08:33:23 -0700 Message-ID: Subject: Re: PF sanity check From: Rumen Telbizov To: Kajetan Staszkiewicz Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 15:33:24 -0000 Thanks for your answer and comments Kajetan. See my comments below. > The question is: Is keeping two states for one connection a bad thing or > is > > it an acceptable practice ? > > It's rather a requirement. A packet incoming on one interface creates a > different state than the same packet outgoing on other interface (even > without > if-bound state policy). And you want further, reverse direction packets in > connections to be matched to existing states and passed instead of > traversing > rule list or hitting the block rule. Cool. I know the states are different (due to direction differences) but I was wondering if there was a way around that to save on the number of states and somehow get away with only 1 state. So now I understand having two states per connection is fine. > If you want to fully ignore the interface, you can use "set skip" for that > purpose. Although I'm not sure if NAT will work in such case, should you > need > it. It also would be nice to set skip on the loopback interface. > > > pass quick on $ext_if no state > > This rule passes the traffic both directions, so it's probably fine. > Although > using stateful inspection would increase security a bit. The reason I didn't go on a complete skip on $ext_if is that I actually do have a handful of rules on the external interface just before that one. Things like blocking from bad hosts, etc. Very few though. I do skip on loopback. I went with the 'no state' since this was my 'hack' to reduce the number of states to only 1 on connections traversing the external interface. In fact this is partially what provoked my question on saving on the number of states between vlans. But I simply cannot figure out a way. I was more curious to know what you and other folks think regarding my first question: *Is there any security risk in me allowing the traffic pass the external interface and then dropping it on the internal interface?* Thank you very much, -- Rumen Telbizov Unix Systems Administrator