From owner-freebsd-pf@FreeBSD.ORG  Sun Oct 27 22:03:33 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id F1A05F23
 for <freebsd-pf@freebsd.org>; Sun, 27 Oct 2013 22:03:32 +0000 (UTC)
 (envelope-from vegeta@tuxpowered.net)
Received: from mail-bk0-f41.google.com (mail-bk0-f41.google.com
 [209.85.214.41])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 87CD92053
 for <freebsd-pf@freebsd.org>; Sun, 27 Oct 2013 22:03:32 +0000 (UTC)
Received: by mail-bk0-f41.google.com with SMTP id na10so1531969bkb.28
 for <freebsd-pf@freebsd.org>; Sun, 27 Oct 2013 15:03:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:subject:date:user-agent:references
 :in-reply-to:mime-version:content-type:content-transfer-encoding
 :message-id;
 bh=eymSIWDDMJs0lYybQzkZLyVgLbNV4rG9OWlcQBB9biw=;
 b=Uv84EybrsVXtAEmRUzcgaiCcgQH39G+6yTVyZtZ+Y8QrH22Vl9hZJM6XIDkbStuM27
 tH0nngyAqa2fZuMO4s4jDmO1ujIl7egmI/fUGzhqUIQh/HU17o+914JQGDlcrDh8nPM8
 RsWeNbHVG5CwrsttriYY1n8ThHWDdURqoWmBZv2tm2c4yI0PxbZS97O1QHXGxwYHMFqh
 zQodp2048LQArTBSMLWWDCNpPRmmNetFRF0vqVKdaLbkUn8U6EZvjp3XPHy5dfJwgmeC
 vW6SsakuwesS33cgQVqa4wGAVgbTZw+cUGOTh1QzdOvczMWuIMogvLiuG79FDY6rNzSz
 LmkQ==
X-Gm-Message-State: ALoCoQklZpX5Porxq7V3AEjGT4D4amctaYbt6E6bzEzJIAzahGNX+hsCwQxiZIND9/wiNeiliyhm
X-Received: by 10.204.123.199 with SMTP id q7mr8280078bkr.10.1382911405287;
 Sun, 27 Oct 2013 15:03:25 -0700 (PDT)
Received: from zvezda.localnet ([2a02:8108:1440:e1:2677:3ff:fe7b:7648])
 by mx.google.com with ESMTPSA id b6sm10224649bko.16.2013.10.27.15.03.24
 for <freebsd-pf@freebsd.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 27 Oct 2013 15:03:24 -0700 (PDT)
From: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To: freebsd-pf@freebsd.org
Subject: Re: PF sanity check
Date: Sun, 27 Oct 2013 23:03:24 +0100
User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; )
References: <CAENR+_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com>
 <201310270128.47766.vegeta@tuxpowered.net>
 <CAENR+_VpxkefiYNoeOQ-3hLA86jt08tgy8Yn=rTzOdCqi45Y2A@mail.gmail.com>
In-Reply-To: <CAENR+_VpxkefiYNoeOQ-3hLA86jt08tgy8Yn=rTzOdCqi45Y2A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201310272303.24096.vegeta@tuxpowered.net>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2013 22:03:33 -0000

Dnia niedziela, 27 pa=C5=BAdziernika 2013 o 16:33:23 Rumen Telbizov napisa=
=C5=82(a):

> > The question is: Is keeping two states for one connection a bad thing or
> > is
> >=20
> > > it an acceptable practice ?
> >=20
> > It's rather a requirement. A packet incoming on one interface creates a
> > different state than the same packet outgoing on other interface (even
> > without
> > if-bound state policy). And you want further, reverse direction packets
> > in connections to be matched to existing states and passed instead of
> > traversing
> > rule list or hitting the block rule.
>=20
> Cool. I know the states are different (due to direction differences) but I
> was wondering if
> there was a way around that to save on the number of states and somehow g=
et
> away with
> only 1 state. So now I understand having two states per connection is fin=
e.

Why shouldn't it be? Searching through states is quite fast. Even with hund=
reds=20
of thousands of states much faster than going through a few hundreds of rul=
es,=20
from my experience.

> I was more curious to know what you and other folks think regarding my
> first question:
>=20
> *Is there any security risk in me allowing the traffic pass the external
> interface and then dropping it on the internal interface?*

That depends if the traffic from the Internet can hit the router's IP stack=
=20
directly. For example if you assign public IPs of servers in VLANs to the=20
router's $ext_if and use nat or route-to to forward traffic to VLANs. Whate=
ver=20
does not hit those rules but is passed on $ext_if, will hit the router itse=
lf=20
in such case.

=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'