From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 00:45:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 386E5106566B for ; Fri, 20 Jul 2012 00:45:38 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id C7C368FC12 for ; Fri, 20 Jul 2012 00:45:37 +0000 (UTC) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 20 Jul 2012 01:44:26 +0100 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.52]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.65.8]) with mapi; Fri, 20 Jul 2012 01:43:58 +0100 From: Greg Hennessy To: "Tonix (Antonio Nati)" , "freebsd-pf@freebsd.org" Date: Fri, 20 Jul 2012 01:44:23 +0100 Thread-Topic: Question on packet filter using in and out interfaces Thread-Index: Ac1lw+qCgPi6VVzaQISC5qwBK8WaZwATGyXg Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <500826BD.3070602@interazioni.it> In-Reply-To: <500826BD.3070602@interazioni.it> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2012 00:45:38 -0000 For PF I would tend to filter in the ingress interface, tag flows passed by= policy and put a generic pass rule on the egress interface permitting the = tagged flow.=20 The only exception would be assignment of specific flows for shaping.=20 Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) > Sent: Friday, 20 July 2012 1:25 AM > To: freebsd-pf@freebsd.org > Subject: Question on packet filter using in and out interfaces >=20 > I have a basic question is on usage of 'in' or 'out' interfaces, on > practical usage. >=20 > I'm having some talks in PFsense mailing list, and I'm saying there is > no security difference about using rulesets on output interfaces or on > input interfaces, as PF is evaluating all rules in the same phase. >=20 > At the opposite, I'm told all 'in' rules are evaluated first, than there > is a routing phase, then the 'out' rules are finally evaluated, so it > is more secure to have only filters on 'in' interfaces. >=20 > Which is the real situation? Does really Packet Filter has any security > advantage having only 'in' rules, or there is no difference on using out > interface instead of in interface? >=20 > All start from consideration that using out interfaces would semplify a > lot management of complex environments, with interfaces dedicated to > different customers (one OUT rule on specific interface instead of > several IN rules on all other interfaces). >=20 > Thanks for any clear answer you can give. >=20 > Regards, >=20 > Tonino >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"