From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 16:45:31 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 994A01065670 for ; Thu, 19 Jul 2012 16:45:31 +0000 (UTC) (envelope-from hoomanfazaeli@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2D28FC0C for ; Thu, 19 Jul 2012 16:45:31 +0000 (UTC) Received: by qabg1 with SMTP id g1so4007434qab.13 for ; Thu, 19 Jul 2012 09:45:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=/vMc7DetcijYtrxATl355wvZva+eDROMmZlfobTUA8U=; b=MsN3xDUwy0A0FuQfl5alvAhbi7lBZ9XHl8UEd62XxD+kuZcDJ00pjJGEt0oV6qVG6d Ro8uorNmK0PU/Gg466kgi1U/Nf0kd1xHI/nqJzCqyPwTyzg+YS0GvZswliQGVW1ZFfiG 5Z8pZtsDqziW94ciAQ4aZF7ws5BjTJ1PdnKLvY4h/oQVCzLe323kaW07ot3/jIXSlf0J 8qTBtHkH1Y+uim0McjRkD+9Z60LTCdxzi3ArAegOSQiObMoqmS0LwXHkuJvNHZzryoDG BETxVocXu5psMchQSVknNayYWmwbPyUwiBB5iKWEFth+3/sV1w+mk65ue8kVr8zflxs1 e5nQ== Received: by 10.224.71.15 with SMTP id f15mr4809499qaj.74.1342716330396; Thu, 19 Jul 2012 09:45:30 -0700 (PDT) Received: from [127.0.0.1] ([84.241.57.181]) by mx.google.com with ESMTPS id et6sm3369863qab.8.2012.07.19.09.45.27 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jul 2012 09:45:29 -0700 (PDT) Message-ID: <50083B02.6080707@gmail.com> Date: Thu, 19 Jul 2012 21:21:14 +0430 From: Hooman Fazaeli User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: "Tonix (Antonio Nati)" References: <500826BD.3070602@interazioni.it> In-Reply-To: <500826BD.3070602@interazioni.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 16:45:31 -0000 On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote: > > Which is the real situation? Does really Packet Filter has any security advantage having only 'in' rules, or there is no difference on using out interface instead of in interface? > > All start from consideration that using out interfaces would semplify a lot management of complex environments, with interfaces dedicated to different customers (one OUT rule on specific interface > instead of several IN rules on all other interfaces). > > - Regardless of type, a firewall must be able to perform filtering on both IN and OUT directions. For instance, consider a firewall acting as IPSec gateway. The traffic comes IN encrypted. Here, you have the chance to filter traffic based on external tunnel addresses. Then the firewall decrypts the traffic, and forward it to the Internet. Here you have the opportunity to filter based on internal packet headers and plain text content. - IN may be preferred if a specific set of packets can be blocked on both IN and OUT. All the CPU cycles allocated to forwarding is wasted if you postpone blocking until packets reach to OUT level. This, for instance, makes firewall less tolerant to DoS attacks.