From owner-freebsd-stable@freebsd.org  Mon Jun 25 07:44:23 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C45F1029582
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 25 Jun 2018 07:44:23 +0000 (UTC)
 (envelope-from prvs=071478b283=ari@ish.com.au)
Received: from fish.ish.com.au (ip-2.ish.com.au [203.29.62.2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0521470049
 for <freebsd-stable@freebsd.org>; Mon, 25 Jun 2018 07:44:22 +0000 (UTC)
 (envelope-from prvs=071478b283=ari@ish.com.au)
Received: from ip-145.ish.com.au ([203.29.62.145]:63504)
 by fish.ish.com.au with esmtpsa (TLSv1.2:AES128-SHA:128)
 (Exim 4.82_1-5b7a7c0-XX) (envelope-from <ari@ish.com.au>)
 id 1fXMAb-00058N-2A; Mon, 25 Jun 2018 17:44:17 +1000
X-CTCH-RefID: str=0001.0A150209.5B309D51.00EE:SCFSTAT42589845, ss=1, re=-4.000,
 recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
Subject: Re: pf best practices: in or out
To: Walter Parker <walterp@gmail.com>,
 freebsd-stable <freebsd-stable@freebsd.org>
References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au>
 <CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw@mail.gmail.com>
 <d218fbed-09c2-0715-643f-0772956a501c@ish.com.au>
 <CAMPTd_D9S2zSSCRn28U3hZW32S1UwJwuWn2c2cAcwn+f4ActCA@mail.gmail.com>
From: Aristedes Maniatis <ari@ish.com.au>
Message-ID: <a23c92e1-a59d-068f-50ff-79715452a704@ish.com.au>
Date: Mon, 25 Jun 2018 17:44:17 +1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <CAMPTd_D9S2zSSCRn28U3hZW32S1UwJwuWn2c2cAcwn+f4ActCA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 07:44:23 -0000

On 25/6/18 5:30pm, Walter Parker wrote:
> The use case for pass out rules would be to block local processes on 
> the box from making external connections to other servers.
> This is useful if you don't fully trust users or software running on 
> your equipment. Also, this would useful to preemptively block ports 
> that would be useful in DDOS attacks.

Ah, then I misunderstood what pass-in and pass-out meant. I thought 
those words referred to the interface, so it would hit pass-in to the 
interface even if coming from a local process.

In that case I'm better writing all my outbound rules as pass-out so as 
to equally filter traffic from the internal network and local firewall 
machine.


Ari