Date: Sat, 21 Jul 2012 17:22:07 +0200 From: "Tonix (Antonio Nati)" <tonix@interazioni.it> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Question on packet filter using in and out interfaces Message-ID: <500AC91F.9090907@interazioni.it> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local>
next in thread | previous in thread | raw e-mail | index | archive | help
If you can provide a link to this PF diagram it would be very useful. Regards, Tonino Il 21/07/2012 15:58, Greg Hennessy ha scritto: > As I recall there is a diagram out there which detail the packet flow starting with the ingress interface. > > It'll explain what gets evaluated where. Bear in mind the effect of the 'quick' keyword. Something I tend to always use. > > Regards > > Greg > > >> -----Original Message----- >> From: Tonix (Antonio Nati) [mailto:tonix@interazioni.it] >> Sent: Saturday, 21 July 2012 11:49 PM >> To: Greg Hennessy >> Cc: freebsd-pf@freebsd.org >> Subject: Re: Question on packet filter using in and out interfaces >> >> Il 20/07/2012 02:44, Greg Hennessy ha scritto: >>> For PF I would tend to filter in the ingress interface, tag flows passed by >> policy and put a generic pass rule on the egress interface permitting the >> tagged flow. >>> >>> The only exception would be assignment of specific flows for shaping. >> >> Please see answer on other thread. If PF evaluates rules all together, >> there would be no security difference on using IN or OUT rules. >> >> Or does PF not evaluates all rules in configuration file in same phase? >> >> Regards, >> >> Tonino >> >>> >>> >>> Greg >>> >>> >>>> -----Original Message----- >>>> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >>>> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) >>>> Sent: Friday, 20 July 2012 1:25 AM >>>> To: freebsd-pf@freebsd.org >>>> Subject: Question on packet filter using in and out interfaces >>>> >>>> I have a basic question is on usage of 'in' or 'out' interfaces, on >>>> practical usage. >>>> >>>> I'm having some talks in PFsense mailing list, and I'm saying there is >>>> no security difference about using rulesets on output interfaces or on >>>> input interfaces, as PF is evaluating all rules in the same phase. >>>> >>>> At the opposite, I'm told all 'in' rules are evaluated first, than there >>>> is a routing phase, then the 'out' rules are finally evaluated, so it >>>> is more secure to have only filters on 'in' interfaces. >>>> >>>> Which is the real situation? Does really Packet Filter has any security >>>> advantage having only 'in' rules, or there is no difference on using out >>>> interface instead of in interface? >>>> >>>> All start from consideration that using out interfaces would semplify a >>>> lot management of complex environments, with interfaces dedicated to >>>> different customers (one OUT rule on specific interface instead of >>>> several IN rules on all other interfaces). >>>> >>>> Thanks for any clear answer you can give. >>>> >>>> Regards, >>>> >>>> Tonino >>>> >>>> >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> >> -- >> ------------------------------------------------------------ >> Inter@zioni Interazioni di Antonio Nati >> http://www.interazioni.it tonix@interazioni.it >> ------------------------------------------------------------ >> > > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?500AC91F.9090907>