From owner-freebsd-pf@FreeBSD.ORG Sat Jul 21 15:22:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65B32106564A for ; Sat, 21 Jul 2012 15:22:12 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id B82FE8FC0C for ; Sat, 21 Jul 2012 15:22:11 +0000 (UTC) Received: (qmail 33522 invoked by uid 88); 21 Jul 2012 15:22:10 -0000 Received: from unknown (HELO ?82.143.55.19?) (tonix@interazioni.it@82.143.55.19) by relay.interazioni.net with ESMTPA; 21 Jul 2012 15:22:10 -0000 Message-ID: <500AC91F.9090907@interazioni.it> Date: Sat, 21 Jul 2012 17:22:07 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Greg Hennessy References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 15:22:12 -0000 If you can provide a link to this PF diagram it would be very useful. Regards, Tonino Il 21/07/2012 15:58, Greg Hennessy ha scritto: > As I recall there is a diagram out there which detail the packet flow starting with the ingress interface. > > It'll explain what gets evaluated where. Bear in mind the effect of the 'quick' keyword. Something I tend to always use. > > Regards > > Greg > > >> -----Original Message----- >> From: Tonix (Antonio Nati) [mailto:tonix@interazioni.it] >> Sent: Saturday, 21 July 2012 11:49 PM >> To: Greg Hennessy >> Cc: freebsd-pf@freebsd.org >> Subject: Re: Question on packet filter using in and out interfaces >> >> Il 20/07/2012 02:44, Greg Hennessy ha scritto: >>> For PF I would tend to filter in the ingress interface, tag flows passed by >> policy and put a generic pass rule on the egress interface permitting the >> tagged flow. >>> >>> The only exception would be assignment of specific flows for shaping. >> >> Please see answer on other thread. If PF evaluates rules all together, >> there would be no security difference on using IN or OUT rules. >> >> Or does PF not evaluates all rules in configuration file in same phase? >> >> Regards, >> >> Tonino >> >>> >>> >>> Greg >>> >>> >>>> -----Original Message----- >>>> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >>>> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) >>>> Sent: Friday, 20 July 2012 1:25 AM >>>> To: freebsd-pf@freebsd.org >>>> Subject: Question on packet filter using in and out interfaces >>>> >>>> I have a basic question is on usage of 'in' or 'out' interfaces, on >>>> practical usage. >>>> >>>> I'm having some talks in PFsense mailing list, and I'm saying there is >>>> no security difference about using rulesets on output interfaces or on >>>> input interfaces, as PF is evaluating all rules in the same phase. >>>> >>>> At the opposite, I'm told all 'in' rules are evaluated first, than there >>>> is a routing phase, then the 'out' rules are finally evaluated, so it >>>> is more secure to have only filters on 'in' interfaces. >>>> >>>> Which is the real situation? Does really Packet Filter has any security >>>> advantage having only 'in' rules, or there is no difference on using out >>>> interface instead of in interface? >>>> >>>> All start from consideration that using out interfaces would semplify a >>>> lot management of complex environments, with interfaces dedicated to >>>> different customers (one OUT rule on specific interface instead of >>>> several IN rules on all other interfaces). >>>> >>>> Thanks for any clear answer you can give. >>>> >>>> Regards, >>>> >>>> Tonino >>>> >>>> >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> >> -- >> ------------------------------------------------------------ >> Inter@zioni Interazioni di Antonio Nati >> http://www.interazioni.it tonix@interazioni.it >> ------------------------------------------------------------ >> > > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------