Date: Mon, 25 Jun 2018 16:55:57 +1000 From: Jason Tubnor <jason@tubnor.net> To: Aristedes Maniatis <ari@ish.com.au> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: pf best practices: in or out Message-ID: <CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw@mail.gmail.com> In-Reply-To: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ari, In most cases, block all and then perform conditional pass in on traffic. Depending on your requirements you would conclude your rules with explicit pass out or just a general pass out 'all' (the former in the newer syntax of PF allows you to control queues, operational tags etc - but that won't help you with the current implementation of PF in FreeBSD). DNAT isn't a thing in PF (I assume you were looking how you'd do it if you were coming from Linux). Incoming will manipulate where required when rdr etc. Only outbound needs NAT binding. Cheers, Jason. On 25 June 2018 at 14:12, Aristedes Maniatis <ari@ish.com.au> wrote: > Hi all > > pf has rules that can operate either 'in' or 'out'. That is, on traffic > entering or leaving an interface. I'm trying to consolidate my rules to > make them easier to understand and update, so it seems a bit pointless to > have the same rules twice. > > Are there any best practices on whether it makes more sense to put rules > on the in or out side? I could bind all the rules to the internet facing > interface and then use "in" for inbound traffic and "out" for outbound. > Does that makes sense? Does it make any difference from a performance point > of view? > > Secondly, where do DNAT rules execute in the sequence? Do they change the > destination IP in between the in and out pass pf rules? > > > I'm not currently subscribed here, so please cc me on replies. > > Thanks > > Ari > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- "If my calculations are correct, when this baby hits 88MPH, you're gonna to see some serious shit" - Emmett "Doc" Brown
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw>