From owner-freebsd-pf@FreeBSD.ORG Mon Jul 16 02:56:53 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79BAD1065670; Mon, 16 Jul 2012 02:56:53 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3EE8FC19; Mon, 16 Jul 2012 02:56:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6G2urAN013550; Mon, 16 Jul 2012 02:56:53 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6G2urNo013546; Mon, 16 Jul 2012 02:56:53 GMT (envelope-from linimon) Date: Mon, 16 Jul 2012 02:56:53 GMT Message-Id: <201207160256.q6G2urNo013546@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/169630: [pf] [patch] pf fragment reassembly of padded (undersized) fragments X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2012 02:56:53 -0000 Old Synopsis: pf fragment reassembly of padded (undersized) fragments New Synopsis: [pf] [patch] pf fragment reassembly of padded (undersized) fragments Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jul 16 02:56:29 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=169630 From owner-freebsd-pf@FreeBSD.ORG Mon Jul 16 11:09:18 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AF371065672 for ; Mon, 16 Jul 2012 11:09:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 647208FC24 for ; Mon, 16 Jul 2012 11:09:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6GB9Ig4094085 for ; Mon, 16 Jul 2012 11:09:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6GB9Gr5094081 for freebsd-pf@FreeBSD.org; Mon, 16 Jul 2012 11:09:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Jul 2012 11:09:16 GMT Message-Id: <201207161109.q6GB9Gr5094081@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2012 11:09:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 53 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 15:31:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BD5B1065675 for ; Thu, 19 Jul 2012 15:31:34 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id 4C18E8FC29 for ; Thu, 19 Jul 2012 15:31:33 +0000 (UTC) Received: (qmail 84554 invoked by uid 88); 19 Jul 2012 15:24:50 -0000 Received: from unknown (HELO ?192.168.200.253?) (tonix@interazioni.it@217.19.151.67) by relay.interazioni.net with ESMTPA; 19 Jul 2012 15:24:50 -0000 Message-ID: <500826BD.3070602@interazioni.it> Date: Thu, 19 Jul 2012 17:24:45 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 15:31:34 -0000 I have a basic question is on usage of 'in' or 'out' interfaces, on practical usage. I'm having some talks in PFsense mailing list, and I'm saying there is no security difference about using rulesets on output interfaces or on input interfaces, as PF is evaluating all rules in the same phase. At the opposite, I'm told all 'in' rules are evaluated first, than there is a routing phase, then the 'out' rules are finally evaluated, so it is more secure to have only filters on 'in' interfaces. Which is the real situation? Does really Packet Filter has any security advantage having only 'in' rules, or there is no difference on using out interface instead of in interface? All start from consideration that using out interfaces would semplify a lot management of complex environments, with interfaces dedicated to different customers (one OUT rule on specific interface instead of several IN rules on all other interfaces). Thanks for any clear answer you can give. Regards, Tonino From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 16:45:31 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 994A01065670 for ; Thu, 19 Jul 2012 16:45:31 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2D28FC0C for ; Thu, 19 Jul 2012 16:45:31 +0000 (UTC) Received: by qabg1 with SMTP id g1so4007434qab.13 for ; Thu, 19 Jul 2012 09:45:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=/vMc7DetcijYtrxATl355wvZva+eDROMmZlfobTUA8U=; b=MsN3xDUwy0A0FuQfl5alvAhbi7lBZ9XHl8UEd62XxD+kuZcDJ00pjJGEt0oV6qVG6d Ro8uorNmK0PU/Gg466kgi1U/Nf0kd1xHI/nqJzCqyPwTyzg+YS0GvZswliQGVW1ZFfiG 5Z8pZtsDqziW94ciAQ4aZF7ws5BjTJ1PdnKLvY4h/oQVCzLe323kaW07ot3/jIXSlf0J 8qTBtHkH1Y+uim0McjRkD+9Z60LTCdxzi3ArAegOSQiObMoqmS0LwXHkuJvNHZzryoDG BETxVocXu5psMchQSVknNayYWmwbPyUwiBB5iKWEFth+3/sV1w+mk65ue8kVr8zflxs1 e5nQ== Received: by 10.224.71.15 with SMTP id f15mr4809499qaj.74.1342716330396; Thu, 19 Jul 2012 09:45:30 -0700 (PDT) Received: from [127.0.0.1] ([84.241.57.181]) by mx.google.com with ESMTPS id et6sm3369863qab.8.2012.07.19.09.45.27 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jul 2012 09:45:29 -0700 (PDT) Message-ID: <50083B02.6080707@gmail.com> Date: Thu, 19 Jul 2012 21:21:14 +0430 From: Hooman Fazaeli User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: "Tonix (Antonio Nati)" References: <500826BD.3070602@interazioni.it> In-Reply-To: <500826BD.3070602@interazioni.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 16:45:31 -0000 On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote: > > Which is the real situation? Does really Packet Filter has any security advantage having only 'in' rules, or there is no difference on using out interface instead of in interface? > > All start from consideration that using out interfaces would semplify a lot management of complex environments, with interfaces dedicated to different customers (one OUT rule on specific interface > instead of several IN rules on all other interfaces). > > - Regardless of type, a firewall must be able to perform filtering on both IN and OUT directions. For instance, consider a firewall acting as IPSec gateway. The traffic comes IN encrypted. Here, you have the chance to filter traffic based on external tunnel addresses. Then the firewall decrypts the traffic, and forward it to the Internet. Here you have the opportunity to filter based on internal packet headers and plain text content. - IN may be preferred if a specific set of packets can be blocked on both IN and OUT. All the CPU cycles allocated to forwarding is wasted if you postpone blocking until packets reach to OUT level. This, for instance, makes firewall less tolerant to DoS attacks. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 00:45:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 386E5106566B for ; Fri, 20 Jul 2012 00:45:38 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id C7C368FC12 for ; Fri, 20 Jul 2012 00:45:37 +0000 (UTC) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 20 Jul 2012 01:44:26 +0100 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.65.8]) with mapi; Fri, 20 Jul 2012 01:43:58 +0100 From: Greg Hennessy To: "Tonix (Antonio Nati)" , "freebsd-pf@freebsd.org" Date: Fri, 20 Jul 2012 01:44:23 +0100 Thread-Topic: Question on packet filter using in and out interfaces Thread-Index: Ac1lw+qCgPi6VVzaQISC5qwBK8WaZwATGyXg Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <500826BD.3070602@interazioni.it> In-Reply-To: <500826BD.3070602@interazioni.it> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2012 00:45:38 -0000 For PF I would tend to filter in the ingress interface, tag flows passed by= policy and put a generic pass rule on the egress interface permitting the = tagged flow.=20 The only exception would be assignment of specific flows for shaping.=20 Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) > Sent: Friday, 20 July 2012 1:25 AM > To: freebsd-pf@freebsd.org > Subject: Question on packet filter using in and out interfaces >=20 > I have a basic question is on usage of 'in' or 'out' interfaces, on > practical usage. >=20 > I'm having some talks in PFsense mailing list, and I'm saying there is > no security difference about using rulesets on output interfaces or on > input interfaces, as PF is evaluating all rules in the same phase. >=20 > At the opposite, I'm told all 'in' rules are evaluated first, than there > is a routing phase, then the 'out' rules are finally evaluated, so it > is more secure to have only filters on 'in' interfaces. >=20 > Which is the real situation? Does really Packet Filter has any security > advantage having only 'in' rules, or there is no difference on using out > interface instead of in interface? >=20 > All start from consideration that using out interfaces would semplify a > lot management of complex environments, with interfaces dedicated to > different customers (one OUT rule on specific interface instead of > several IN rules on all other interfaces). >=20 > Thanks for any clear answer you can give. >=20 > Regards, >=20 > Tonino >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 13:47:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 006751065673 for ; Sat, 21 Jul 2012 13:47:12 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id 5014B8FC14 for ; Sat, 21 Jul 2012 13:47:10 +0000 (UTC) Received: (qmail 26259 invoked by uid 88); 21 Jul 2012 13:47:02 -0000 Received: from unknown (HELO ?82.143.55.19?) (tonix@interazioni.it@82.143.55.19) by relay.interazioni.net with ESMTPA; 21 Jul 2012 13:47:02 -0000 Message-ID: <500AB2D3.9070603@interazioni.it> Date: Sat, 21 Jul 2012 15:46:59 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Hooman Fazaeli References: <500826BD.3070602@interazioni.it> <50083B02.6080707@gmail.com> In-Reply-To: <50083B02.6080707@gmail.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 13:47:12 -0000 Il 19/07/2012 18:51, Hooman Fazaeli ha scritto: > > > On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote: >> >> Which is the real situation? Does really Packet Filter has any >> security advantage having only 'in' rules, or there is no difference >> on using out interface instead of in interface? >> >> All start from consideration that using out interfaces would semplify >> a lot management of complex environments, with interfaces dedicated to >> different customers (one OUT rule on specific interface instead of >> several IN rules on all other interfaces). >> >> > > - Regardless of type, a firewall must be able to perform filtering on > both IN and OUT directions. > For instance, consider a firewall acting as IPSec gateway. The traffic > comes IN encrypted. Here, you > have the chance to filter traffic based on external tunnel addresses. > Then the firewall > decrypts the traffic, and forward it to the Internet. Here you have the > opportunity > to filter based on internal packet headers and plain text content. > > - IN may be preferred if a specific set of packets can be blocked on > both IN and OUT. > All the CPU cycles allocated to forwarding is wasted if you postpone > blocking > until packets reach to OUT level. This, for instance, makes firewall less > tolerant to DoS attacks. > > > I'd love not a theoric answer, but a practical answer based on how PF works. In PF manual, I read all rules contained in rules file are evaluated all together, so it looks like PF does not make a real difference about IN our OUT, but just it follows the order in which rules are listed in configuration file. Is that true? If PF follows the order of rules as listed in configuration file, there is no difference about using a IN or OUT rule, as the evaluation is done in the same phase for all. If, instead, IN and OUT rules are evaluated in different phases, than I miss somethink in manuals... Regards, Tonino -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------ From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 13:48:53 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E689106566B for ; Sat, 21 Jul 2012 13:48:53 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id EFA6F8FC0A for ; Sat, 21 Jul 2012 13:48:52 +0000 (UTC) Received: (qmail 26365 invoked by uid 88); 21 Jul 2012 13:48:52 -0000 Received: from unknown (HELO ?82.143.55.19?) (tonix@interazioni.it@82.143.55.19) by relay.interazioni.net with ESMTPA; 21 Jul 2012 13:48:51 -0000 Message-ID: <500AB340.2040405@interazioni.it> Date: Sat, 21 Jul 2012 15:48:48 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Greg Hennessy References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 13:48:53 -0000 Il 20/07/2012 02:44, Greg Hennessy ha scritto: > For PF I would tend to filter in the ingress interface, tag flows passed by policy and put a generic pass rule on the egress interface permitting the tagged flow. > > The only exception would be assignment of specific flows for shaping. Please see answer on other thread. If PF evaluates rules all together, there would be no security difference on using IN or OUT rules. Or does PF not evaluates all rules in configuration file in same phase? Regards, Tonino > > > Greg > > >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) >> Sent: Friday, 20 July 2012 1:25 AM >> To: freebsd-pf@freebsd.org >> Subject: Question on packet filter using in and out interfaces >> >> I have a basic question is on usage of 'in' or 'out' interfaces, on >> practical usage. >> >> I'm having some talks in PFsense mailing list, and I'm saying there is >> no security difference about using rulesets on output interfaces or on >> input interfaces, as PF is evaluating all rules in the same phase. >> >> At the opposite, I'm told all 'in' rules are evaluated first, than there >> is a routing phase, then the 'out' rules are finally evaluated, so it >> is more secure to have only filters on 'in' interfaces. >> >> Which is the real situation? Does really Packet Filter has any security >> advantage having only 'in' rules, or there is no difference on using out >> interface instead of in interface? >> >> All start from consideration that using out interfaces would semplify a >> lot management of complex environments, with interfaces dedicated to >> different customers (one OUT rule on specific interface instead of >> several IN rules on all other interfaces). >> >> Thanks for any clear answer you can give. >> >> Regards, >> >> Tonino >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------ From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 13:58:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A4D106564A for ; Sat, 21 Jul 2012 13:58:12 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 5913B8FC08 for ; Sat, 21 Jul 2012 13:58:12 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sat, 21 Jul 2012 14:58:05 +0100 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Sat, 21 Jul 2012 14:57:28 +0100 From: Greg Hennessy To: "Tonix (Antonio Nati)" Date: Sat, 21 Jul 2012 14:58:03 +0100 Thread-Topic: Question on packet filter using in and out interfaces Thread-Index: Ac1nR4YZZ4fAzQ/oS1uo0vIqHSqHwwAAByrQ Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> In-Reply-To: <500AB340.2040405@interazioni.it> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" Subject: RE: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 13:58:12 -0000 As I recall there is a diagram out there which detail the packet flow start= ing with the ingress interface. It'll explain what gets evaluated where. Bear in mind the effect of the 'qu= ick' keyword. Something I tend to always use.=20 Regards Greg > -----Original Message----- > From: Tonix (Antonio Nati) [mailto:tonix@interazioni.it] > Sent: Saturday, 21 July 2012 11:49 PM > To: Greg Hennessy > Cc: freebsd-pf@freebsd.org > Subject: Re: Question on packet filter using in and out interfaces >=20 > Il 20/07/2012 02:44, Greg Hennessy ha scritto: > > For PF I would tend to filter in the ingress interface, tag flows passe= d by > policy and put a generic pass rule on the egress interface permitting the > tagged flow. > > > > The only exception would be assignment of specific flows for shaping. >=20 > Please see answer on other thread. If PF evaluates rules all together, > there would be no security difference on using IN or OUT rules. >=20 > Or does PF not evaluates all rules in configuration file in same phase? >=20 > Regards, >=20 > Tonino >=20 > > > > > > Greg > > > > > >> -----Original Message----- > >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > >> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) > >> Sent: Friday, 20 July 2012 1:25 AM > >> To: freebsd-pf@freebsd.org > >> Subject: Question on packet filter using in and out interfaces > >> > >> I have a basic question is on usage of 'in' or 'out' interfaces, on > >> practical usage. > >> > >> I'm having some talks in PFsense mailing list, and I'm saying there is > >> no security difference about using rulesets on output interfaces or o= n > >> input interfaces, as PF is evaluating all rules in the same phase. > >> > >> At the opposite, I'm told all 'in' rules are evaluated first, than the= re > >> is a routing phase, then the 'out' rules are finally evaluated, so it > >> is more secure to have only filters on 'in' interfaces. > >> > >> Which is the real situation? Does really Packet Filter has any securit= y > >> advantage having only 'in' rules, or there is no difference on using o= ut > >> interface instead of in interface? > >> > >> All start from consideration that using out interfaces would semplify = a > >> lot management of complex environments, with interfaces dedicated to > >> different customers (one OUT rule on specific interface instead of > >> several IN rules on all other interfaces). > >> > >> Thanks for any clear answer you can give. > >> > >> Regards, > >> > >> Tonino > >> > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > >=20 >=20 > -- > ------------------------------------------------------------ > Inter@zioni Interazioni di Antonio Nati > http://www.interazioni.it tonix@interazioni.it > ------------------------------------------------------------ >=20 From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 15:22:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65B32106564A for ; Sat, 21 Jul 2012 15:22:12 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id B82FE8FC0C for ; Sat, 21 Jul 2012 15:22:11 +0000 (UTC) Received: (qmail 33522 invoked by uid 88); 21 Jul 2012 15:22:10 -0000 Received: from unknown (HELO ?82.143.55.19?) (tonix@interazioni.it@82.143.55.19) by relay.interazioni.net with ESMTPA; 21 Jul 2012 15:22:10 -0000 Message-ID: <500AC91F.9090907@interazioni.it> Date: Sat, 21 Jul 2012 17:22:07 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Greg Hennessy References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 15:22:12 -0000 If you can provide a link to this PF diagram it would be very useful. Regards, Tonino Il 21/07/2012 15:58, Greg Hennessy ha scritto: > As I recall there is a diagram out there which detail the packet flow starting with the ingress interface. > > It'll explain what gets evaluated where. Bear in mind the effect of the 'quick' keyword. Something I tend to always use. > > Regards > > Greg > > >> -----Original Message----- >> From: Tonix (Antonio Nati) [mailto:tonix@interazioni.it] >> Sent: Saturday, 21 July 2012 11:49 PM >> To: Greg Hennessy >> Cc: freebsd-pf@freebsd.org >> Subject: Re: Question on packet filter using in and out interfaces >> >> Il 20/07/2012 02:44, Greg Hennessy ha scritto: >>> For PF I would tend to filter in the ingress interface, tag flows passed by >> policy and put a generic pass rule on the egress interface permitting the >> tagged flow. >>> >>> The only exception would be assignment of specific flows for shaping. >> >> Please see answer on other thread. If PF evaluates rules all together, >> there would be no security difference on using IN or OUT rules. >> >> Or does PF not evaluates all rules in configuration file in same phase? >> >> Regards, >> >> Tonino >> >>> >>> >>> Greg >>> >>> >>>> -----Original Message----- >>>> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >>>> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) >>>> Sent: Friday, 20 July 2012 1:25 AM >>>> To: freebsd-pf@freebsd.org >>>> Subject: Question on packet filter using in and out interfaces >>>> >>>> I have a basic question is on usage of 'in' or 'out' interfaces, on >>>> practical usage. >>>> >>>> I'm having some talks in PFsense mailing list, and I'm saying there is >>>> no security difference about using rulesets on output interfaces or on >>>> input interfaces, as PF is evaluating all rules in the same phase. >>>> >>>> At the opposite, I'm told all 'in' rules are evaluated first, than there >>>> is a routing phase, then the 'out' rules are finally evaluated, so it >>>> is more secure to have only filters on 'in' interfaces. >>>> >>>> Which is the real situation? Does really Packet Filter has any security >>>> advantage having only 'in' rules, or there is no difference on using out >>>> interface instead of in interface? >>>> >>>> All start from consideration that using out interfaces would semplify a >>>> lot management of complex environments, with interfaces dedicated to >>>> different customers (one OUT rule on specific interface instead of >>>> several IN rules on all other interfaces). >>>> >>>> Thanks for any clear answer you can give. >>>> >>>> Regards, >>>> >>>> Tonino >>>> >>>> >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> >> -- >> ------------------------------------------------------------ >> Inter@zioni Interazioni di Antonio Nati >> http://www.interazioni.it tonix@interazioni.it >> ------------------------------------------------------------ >> > > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------ From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 18:25:33 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7150C106566B for ; Sat, 21 Jul 2012 18:25:33 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id BBFBF8FC08 for ; Sat, 21 Jul 2012 18:25:31 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q6LINHJG015892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 21 Jul 2012 20:23:17 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q6LINGhV011182; Sat, 21 Jul 2012 20:23:16 +0200 (MEST) Date: Sat, 21 Jul 2012 20:23:16 +0200 From: Daniel Hartmeier To: "Tonix (Antonio Nati)" Message-ID: <20120721182316.GA32530@insomnia.benzedrine.cx> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <500AC91F.9090907@interazioni.it> User-Agent: Mutt/1.5.12-2006-07-14 Cc: Greg Hennessy , "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 18:25:33 -0000 On Sat, Jul 21, 2012 at 05:22:07PM +0200, Tonix (Antonio Nati) wrote: > If you can provide a link to this PF diagram it would be very useful. A copy is preserved on http://www.benzedrine.cx/pf_flow.png Yes, there are two phases. HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 22:18:07 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF648106566B for ; Sat, 21 Jul 2012 22:18:07 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 5CFA08FC0A for ; Sat, 21 Jul 2012 22:18:07 +0000 (UTC) Received: from [10.0.1.2] (pool-98-112-217-228.lsanca.fios.verizon.net [98.112.217.228]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id q6LM6gD7025359; Sat, 21 Jul 2012 15:06:45 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Doug Hardie In-Reply-To: <20120721182316.GA32530@insomnia.benzedrine.cx> Date: Sat, 21 Jul 2012 15:06:42 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> <20120721182316.GA32530@insomnia.benzedrine.cx> To: Daniel Hartmeier X-Mailer: Apple Mail (2.1278) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: Greg Hennessy , "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 22:18:07 -0000 That is a very helpful diagram. There are two aspects that I don't see = directly addressed. 1. For packets ultimately delivered to processes on the system pf is = running on, I suspect they get to the Kernel Processing box and then are = directly delivered to the receiving process. The out phase is not used. 2. For packets redirected to addresses at 127.0.0.1, would they go = through the out phase and then back in the in phase and be delivered = during the Kernel Processing as above. On 21 July 2012, at 11:23, Daniel Hartmeier wrote: > On Sat, Jul 21, 2012 at 05:22:07PM +0200, Tonix (Antonio Nati) wrote: >=20 >> If you can provide a link to this PF diagram it would be very useful. >=20 > A copy is preserved on http://www.benzedrine.cx/pf_flow.png >=20 > Yes, there are two phases. >=20 > HTH, > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20