Date: Wed, 16 May 2007 21:01:40 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Tom Judge'" <tom@tomjudge.com>, <freebsd-pf@freebsd.org> Subject: RE: Packet Path Through PF (onec for each interface?) Message-ID: <000f01c797f5$04a5b9a0$0df12ce0$@Hennessy@nviz.net> In-Reply-To: <464B487C.1050301@tomjudge.com> References: <464B487C.1050301@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Does a packet being routed from em0 to em1 pass through PF twice? > PF does both ingress and egress filtering, this explains it far better than I could. http://homepage.mac.com/quension/pf/flow.png > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port > 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 > port > 22 keep state > > block in log inet from any to any > block out log inet from any to any > > > In the second rule this indicates that the packet passes through PF > once > for each interface that it passes through, is this correct? > A filtering rule without direction will match both ingress and egress flows. A PF policy will block by default if the 1st rule is. block log all One way of minimising the number of rules required is to use a tagged generic egress rule on each interface. e.g pass in quick on int1 $TCP .... $KSF tag outbound pass in quick on int2 $TCP .... $KSF state tag outbound . . . . . . pass out quick on int3 .... $KSF tagged outbound where KSF="keep state flags S/SA" TCP="inet proto tcp" Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000f01c797f5$04a5b9a0$0df12ce0$>