Date: Mon, 25 Jun 2018 14:12:43 +1000 From: Aristedes Maniatis <ari@ish.com.au> To: freebsd-stable <freebsd-stable@freebsd.org> Subject: pf best practices: in or out Message-ID: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au>
next in thread | raw e-mail | index | archive | help
Hi all pf has rules that can operate either 'in' or 'out'. That is, on traffic entering or leaving an interface. I'm trying to consolidate my rules to make them easier to understand and update, so it seems a bit pointless to have the same rules twice. Are there any best practices on whether it makes more sense to put rules on the in or out side? I could bind all the rules to the internet facing interface and then use "in" for inbound traffic and "out" for outbound. Does that makes sense? Does it make any difference from a performance point of view? Secondly, where do DNAT rules execute in the sequence? Do they change the destination IP in between the in and out pass pf rules? I'm not currently subscribed here, so please cc me on replies. Thanks Ari
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1a730ca1-8c9e-9a9b-72e5-696fb92c8e49>