From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 09:37:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C48610656EB for ; Mon, 23 Jul 2012 09:37:37 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id 820B38FC08 for ; Mon, 23 Jul 2012 09:37:36 +0000 (UTC) Received: (qmail 6609 invoked by uid 88); 23 Jul 2012 09:37:29 -0000 Received: from unknown (HELO ?192.168.200.253?) (tonix@interazioni.it@217.19.151.67) by relay.interazioni.net with ESMTPA; 23 Jul 2012 09:37:29 -0000 Message-ID: <500D1B57.8080405@interazioni.it> Date: Mon, 23 Jul 2012 11:37:27 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Daniel Hartmeier , "freebsd-pf@freebsd.org" References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> <20120721182316.GA32530@insomnia.benzedrine.cx> In-Reply-To: <20120721182316.GA32530@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 09:37:37 -0000 Il 21/07/2012 20:23, Daniel Hartmeier ha scritto: > On Sat, Jul 21, 2012 at 05:22:07PM +0200, Tonix (Antonio Nati) wrote: > >> If you can provide a link to this PF diagram it would be very useful. > > A copy is preserved on http://www.benzedrine.cx/pf_flow.png > > Yes, there are two phases. > > HTH, > Daniel > Daniel, thanks for pointing at the diagram. What it is not clear to me is related to in/out rules evaluation. Diagram starts obviously from the packet entering the system, until the packet exits the system. When the packet enters the system, which rules are evaluated? All rules related to interface, both for IN and OUT? Or only IN? PF manual says all rules in pf.conf are evaluated, so I suppose all rules applying to that interface are evaluated... or only IN rules are evaluated in this first step, and only OUT rules are evaluated in second step? Sorry, but I'm missing some key points. Regards, Tonino -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------