From owner-freebsd-stable@freebsd.org Mon Jun 25 07:19:36 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2584102857D for ; Mon, 25 Jun 2018 07:19:35 +0000 (UTC) (envelope-from prvs=071478b283=ari@ish.com.au) Received: from fish.ish.com.au (ip-2.ish.com.au [203.29.62.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 55C098EDA3 for ; Mon, 25 Jun 2018 07:19:34 +0000 (UTC) (envelope-from prvs=071478b283=ari@ish.com.au) Received: from ip-145.ish.com.au ([203.29.62.145]:63238) by fish.ish.com.au with esmtpsa (TLSv1.2:AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1fXLmZ-0003hh-0S; Mon, 25 Jun 2018 17:19:27 +1000 X-CTCH-RefID: str=0001.0A150203.5B30977F.0064:SCFSTAT42589845, ss=1, re=-4.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 Subject: Re: pf best practices: in or out To: Jason Tubnor Cc: freebsd-stable References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> From: Aristedes Maniatis Message-ID: Date: Mon, 25 Jun 2018 17:19:26 +1000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2018 07:19:36 -0000 Thanks Jason, So in essence, you'd just control everything on the 'pass in'. I'm assuming all traffic originating from the local machine is still hitting a pass in rule on some interface corresponding to the source IP address? DNAT is working fine for me in pf, although I understand it is named rdr. What is the use case for using pass out rules instead of pass in rules? Cheers Ari On 25/6/18 4:55pm, Jason Tubnor wrote: > Hi Ari, > > In most cases, block all and then perform conditional pass in on > traffic.  Depending on your requirements you would conclude your rules > with explicit pass out or just a general pass out 'all' (the former in > the newer syntax of PF allows you to control queues, operational tags > etc - but that won't help you with the current implementation of PF in > FreeBSD). > > DNAT isn't a thing in PF (I assume you were looking how you'd do it if > you were coming from Linux).  Incoming will manipulate where required > when rdr etc. Only outbound needs NAT binding. > > Cheers, > > Jason. > > On 25 June 2018 at 14:12, Aristedes Maniatis > wrote: > > Hi all > > pf has rules that can operate either 'in' or 'out'. That is, on > traffic entering or leaving an interface. I'm trying to > consolidate my rules to make them easier to understand and update, > so it seems a bit pointless to have the same rules twice. > > Are there any best practices on whether it makes more sense to put > rules on the in or out side? I could bind all the rules to the > internet facing interface and then use "in" for inbound traffic > and "out" for outbound. Does that makes sense? Does it make any > difference from a performance point of view? > > Secondly, where do DNAT rules execute in the sequence? Do they > change the destination IP in between the in and out pass pf rules? > > > I'm not currently subscribed here, so please cc me on replies. > > Thanks > > Ari > > _______________________________________________ > freebsd-stable@freebsd.org > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org > " > > > > > -- > "If my calculations are correct, when this baby hits 88MPH, you're > gonna to see some serious shit" - Emmett "Doc" Brown