Date: Mon, 25 Jun 2018 17:19:26 +1000 From: Aristedes Maniatis <ari@ish.com.au> To: Jason Tubnor <jason@tubnor.net> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: pf best practices: in or out Message-ID: <d218fbed-09c2-0715-643f-0772956a501c@ish.com.au> In-Reply-To: <CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw@mail.gmail.com> References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> <CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Jason, So in essence, you'd just control everything on the 'pass in'. I'm assuming all traffic originating from the local machine is still hitting a pass in rule on some interface corresponding to the source IP address? DNAT is working fine for me in pf, although I understand it is named rdr. What is the use case for using pass out rules instead of pass in rules? Cheers Ari On 25/6/18 4:55pm, Jason Tubnor wrote: > Hi Ari, > > In most cases, block all and then perform conditional pass in on > traffic. Depending on your requirements you would conclude your rules > with explicit pass out or just a general pass out 'all' (the former in > the newer syntax of PF allows you to control queues, operational tags > etc - but that won't help you with the current implementation of PF in > FreeBSD). > > DNAT isn't a thing in PF (I assume you were looking how you'd do it if > you were coming from Linux). Incoming will manipulate where required > when rdr etc. Only outbound needs NAT binding. > > Cheers, > > Jason. > > On 25 June 2018 at 14:12, Aristedes Maniatis <ari@ish.com.au > <mailto:ari@ish.com.au>> wrote: > > Hi all > > pf has rules that can operate either 'in' or 'out'. That is, on > traffic entering or leaving an interface. I'm trying to > consolidate my rules to make them easier to understand and update, > so it seems a bit pointless to have the same rules twice. > > Are there any best practices on whether it makes more sense to put > rules on the in or out side? I could bind all the rules to the > internet facing interface and then use "in" for inbound traffic > and "out" for outbound. Does that makes sense? Does it make any > difference from a performance point of view? > > Secondly, where do DNAT rules execute in the sequence? Do they > change the destination IP in between the in and out pass pf rules? > > > I'm not currently subscribed here, so please cc me on replies. > > Thanks > > Ari > > _______________________________________________ > freebsd-stable@freebsd.org <mailto:freebsd-stable@freebsd.org> > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>; > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org > <mailto:freebsd-stable-unsubscribe@freebsd.org>" > > > > > -- > "If my calculations are correct, when this baby hits 88MPH, you're > gonna to see some serious shit" - Emmett "Doc" Brown
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d218fbed-09c2-0715-643f-0772956a501c>