Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Jul 2012 17:24:45 +0200
From:      "Tonix (Antonio Nati)" <tonix@interazioni.it>
To:        freebsd-pf@freebsd.org
Subject:   Question on packet filter using in and out interfaces
Message-ID:  <500826BD.3070602@interazioni.it>

next in thread | raw e-mail | index | archive | help
I have a basic question is on usage of 'in' or 'out' interfaces, on 
practical usage.

I'm having some talks in PFsense mailing list, and I'm saying there is 
no security difference  about using rulesets on output interfaces or on 
input interfaces, as PF is evaluating all rules in the same phase.

At the opposite, I'm told all 'in' rules are evaluated first, than there 
is a routing phase, then the 'out'  rules are finally evaluated, so it 
is more secure to have only filters on 'in' interfaces.

Which is the real situation? Does really Packet Filter has any security 
advantage having only 'in' rules, or there is no difference on using out 
interface instead of in interface?

All start from consideration that using out interfaces would semplify a 
lot management of complex environments, with interfaces dedicated to 
different customers (one OUT rule on specific interface instead of 
several IN rules on all other interfaces).

Thanks for any clear answer you can give.

Regards,

Tonino





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?500826BD.3070602>