From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 10:53:45 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38083106566B for ; Mon, 23 Jul 2012 10:53:45 +0000 (UTC) (envelope-from tonix@interazioni.it) Received: from mx02.interazioni.net (mx02.interazioni.net [80.94.114.204]) by mx1.freebsd.org (Postfix) with ESMTP id 8831B8FC0C for ; Mon, 23 Jul 2012 10:53:44 +0000 (UTC) Received: (qmail 20059 invoked by uid 88); 23 Jul 2012 10:53:43 -0000 Received: from unknown (HELO ?192.168.200.253?) (tonix@interazioni.it@217.19.151.67) by relay.interazioni.net with ESMTPA; 23 Jul 2012 10:53:43 -0000 Message-ID: <500D2D35.4070608@interazioni.it> Date: Mon, 23 Jul 2012 12:53:41 +0200 From: "Tonix (Antonio Nati)" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Daniel Hartmeier References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> <20120721182316.GA32530@insomnia.benzedrine.cx> <500D1B57.8080405@interazioni.it> <20120723095509.GB32530@insomnia.benzedrine.cx> In-Reply-To: <20120723095509.GB32530@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 10:53:45 -0000 Il 23/07/2012 11:55, Daniel Hartmeier ha scritto: > On Mon, Jul 23, 2012 at 11:37:27AM +0200, Tonix (Antonio Nati) wrote: > >> What it is not clear to me is related to in/out rules evaluation. >> >> Diagram starts obviously from the packet entering the system, until the >> packet exits the system. When the packet enters the system, which rules >> are evaluated? All rules related to interface, both for IN and OUT? Or >> only IN? > > During both phases (first incoming on one interface, then outgoing on > the other interface), all rules are evaluated. > > Rules can omit the direction (e.g. 'pass from src to dst'), and such > rules can match in either phase, or both. > > If rules do specify a direction (e.g. 'pass in from src to dst'), they are > still evaluated during both in and out phase, but they cannot possibly > match during the wrong phase. Daniel, thanks for the detailed explanation. So, does that mean the OUT phase evaluation always occurs when IN phase has been positive (packet should pass)? I'm thinking to management of a lot of interfaces, where one is the WAN, and others are DMZ and/or customers dedicated subnets. I'd love to put basic protections on WAN input, and then permit all other interfaces to define its own rules for packets coming/going from/to the specific subnet. According to what I understand of your explanation, each interface could have its own IN rules, and if the IN rules of a specific INPUT interface are successfull, the OUT rules of the 'outgoing' interface are then evaluated. This would be wonderful, as each interface could have both IN and OUT rules which do not interphere with or break other interfaces rules. And would permit to write the most of rules just once, according to each interface needs. Regards, Tonino > >> PF manual says all rules in pf.conf are evaluated, so I suppose all >> rules applying to that interface are evaluated... or only IN rules are >> evaluated in this first step, and only OUT rules are evaluated in second >> step? > > There isn't really any difference: while all rules are evaluated, only > the IN rules can possibly match (in the first step), so there's no way > you notice the OUT rules are being evaluated... > > Daniel > -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it tonix@interazioni.it ------------------------------------------------------------