From owner-freebsd-stable@freebsd.org  Mon Jun 25 04:13:04 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 046901022D6B
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 25 Jun 2018 04:13:04 +0000 (UTC)
 (envelope-from prvs=071478b283=ari@ish.com.au)
Received: from fish.ish.com.au (ip-2.ish.com.au [203.29.62.2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9C10C89969
 for <freebsd-stable@freebsd.org>; Mon, 25 Jun 2018 04:13:02 +0000 (UTC)
 (envelope-from prvs=071478b283=ari@ish.com.au)
Received: from ip-145.ish.com.au ([203.29.62.145]:60974)
 by fish.ish.com.au with esmtpsa (TLSv1.2:AES128-SHA:128)
 (Exim 4.82_1-5b7a7c0-XX) (envelope-from <ari@ish.com.au>)
 id 1fXIrr-0007cv-1A
 for freebsd-stable@freebsd.org; Mon, 25 Jun 2018 14:12:43 +1000
X-CTCH-RefID: str=0001.0A150202.5B306BBB.00B1:SCFSTAT42589845, ss=1, re=-4.000,
 recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
To: freebsd-stable <freebsd-stable@freebsd.org>
From: Aristedes Maniatis <ari@ish.com.au>
Subject: pf best practices: in or out
Message-ID: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au>
Date: Mon, 25 Jun 2018 14:12:43 +1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 04:13:04 -0000

Hi all

pf has rules that can operate either 'in' or 'out'. That is, on traffic 
entering or leaving an interface. I'm trying to consolidate my rules to 
make them easier to understand and update, so it seems a bit pointless 
to have the same rules twice.

Are there any best practices on whether it makes more sense to put rules 
on the in or out side? I could bind all the rules to the internet facing 
interface and then use "in" for inbound traffic and "out" for outbound. 
Does that makes sense? Does it make any difference from a performance 
point of view?

Secondly, where do DNAT rules execute in the sequence? Do they change 
the destination IP in between the in and out pass pf rules?


I'm not currently subscribed here, so please cc me on replies.

Thanks

Ari