From owner-freebsd-stable@freebsd.org Mon Jun 25 06:56:18 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94FF51027933 for ; Mon, 25 Jun 2018 06:56:18 +0000 (UTC) (envelope-from jtubnor@gmail.com) Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1ED298E023 for ; Mon, 25 Jun 2018 06:56:18 +0000 (UTC) (envelope-from jtubnor@gmail.com) Received: by mail-oi0-x236.google.com with SMTP id n84-v6so3848945oib.9 for ; Sun, 24 Jun 2018 23:56:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jO+FtLpdZpf91TXU2+9n5rcJhNoMq9DQdy4zv8vpxh8=; b=uVZcvBlrIhC8MkpK4Cdd/TffYLhP7d4laDjb3psWPanU7bWfI7ZypcTxW3s0ZVpfC6 Dj5QJV6LLEdXBLbX4mdH+UDx8T7SuvhIhHoB7UxNmwZUBrRMTGwaDmKS9+D4uiENOb1o JRx1t0qRlXp+jqY3evl8BtkoT63ktIG3F2pwb33VoMeV6WQEaXjgGYc/3sCAAfolAYUV YjB9t2sIXSyk6YKpjjwJdzTMxalK+yDfj1n2dLOgA3+b43HBUYxD1/uPH2ACxnhdllse N6CS6qJD8YEZ8ZbcI2jaCLhm7m+AOOqT72rroFM3givnoUlfvgtaLN5jI4eW6O11mNzo UoTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jO+FtLpdZpf91TXU2+9n5rcJhNoMq9DQdy4zv8vpxh8=; b=L0Yy1u63wPoulaBH71dl2Rfilz6bdfjkv6kL8ogRsPHCgkdmiBmObQuupyzGb/z1Hn eE7URqBcC/1VMYmWaXiAtY3alwf8jbfleP+SVJYXZlmLkJwSHoWRkVvKPV/NE6WeUk8+ gTAeDWusTGZfNDBQ+JTYEw5WuCSq7l1tGVrvsmVZGlyjDBIEsVLLXOhTNnh2porOWff+ WaW1ezcHnBLWJrdMN0yOoKgsT03xUwPk/QTHFNhzitPM1woNAK46u1wQFBQiy38AeF3s McypOwXph/v0HKawPxMnHBGAKgEd/t8Haa0rwCWPP9HBFuxFSVwFTDv9VhxRo1uHMPWG uoAg== X-Gm-Message-State: APt69E2yr2y0ONVKr1r6hskgtUlnZEAiWyaStidlau9laCERO8Degsj4 B8Ww0G51jyH4zWV7o9CnCu9nn1YOFrcQZc92e0SL9Q== X-Google-Smtp-Source: AAOMgpeP1YMaLLO9xKtA1i/Gt+Sd8Hu5XAhy3B6NsCq+1zVRZkkTSJ6OcaajORQLdBVzC/nGScHlaUr17Zo49WWj++I= X-Received: by 2002:aca:61d5:: with SMTP id v204-v6mr2067787oib.137.1529909777380; Sun, 24 Jun 2018 23:56:17 -0700 (PDT) MIME-Version: 1.0 Sender: jtubnor@gmail.com Received: by 2002:ac9:2fc3:0:0:0:0:0 with HTTP; Sun, 24 Jun 2018 23:55:57 -0700 (PDT) In-Reply-To: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> From: Jason Tubnor Date: Mon, 25 Jun 2018 16:55:57 +1000 X-Google-Sender-Auth: N15OqpxS0tQoi4VQ0szc3dqEFtE Message-ID: Subject: Re: pf best practices: in or out To: Aristedes Maniatis Cc: freebsd-stable Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2018 06:56:18 -0000 Hi Ari, In most cases, block all and then perform conditional pass in on traffic. Depending on your requirements you would conclude your rules with explicit pass out or just a general pass out 'all' (the former in the newer syntax of PF allows you to control queues, operational tags etc - but that won't help you with the current implementation of PF in FreeBSD). DNAT isn't a thing in PF (I assume you were looking how you'd do it if you were coming from Linux). Incoming will manipulate where required when rdr etc. Only outbound needs NAT binding. Cheers, Jason. On 25 June 2018 at 14:12, Aristedes Maniatis wrote: > Hi all > > pf has rules that can operate either 'in' or 'out'. That is, on traffic > entering or leaving an interface. I'm trying to consolidate my rules to > make them easier to understand and update, so it seems a bit pointless to > have the same rules twice. > > Are there any best practices on whether it makes more sense to put rules > on the in or out side? I could bind all the rules to the internet facing > interface and then use "in" for inbound traffic and "out" for outbound. > Does that makes sense? Does it make any difference from a performance point > of view? > > Secondly, where do DNAT rules execute in the sequence? Do they change the > destination IP in between the in and out pass pf rules? > > > I'm not currently subscribed here, so please cc me on replies. > > Thanks > > Ari > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- "If my calculations are correct, when this baby hits 88MPH, you're gonna to see some serious shit" - Emmett "Doc" Brown