Date: Sat, 21 Jul 2012 14:58:03 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: "Tonix (Antonio Nati)" <tonix@interazioni.it> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: Question on packet filter using in and out interfaces Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> In-Reply-To: <500AB340.2040405@interazioni.it> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it>
next in thread | previous in thread | raw e-mail | index | archive | help
As I recall there is a diagram out there which detail the packet flow start= ing with the ingress interface. It'll explain what gets evaluated where. Bear in mind the effect of the 'qu= ick' keyword. Something I tend to always use.=20 Regards Greg > -----Original Message----- > From: Tonix (Antonio Nati) [mailto:tonix@interazioni.it] > Sent: Saturday, 21 July 2012 11:49 PM > To: Greg Hennessy > Cc: freebsd-pf@freebsd.org > Subject: Re: Question on packet filter using in and out interfaces >=20 > Il 20/07/2012 02:44, Greg Hennessy ha scritto: > > For PF I would tend to filter in the ingress interface, tag flows passe= d by > policy and put a generic pass rule on the egress interface permitting the > tagged flow. > > > > The only exception would be assignment of specific flows for shaping. >=20 > Please see answer on other thread. If PF evaluates rules all together, > there would be no security difference on using IN or OUT rules. >=20 > Or does PF not evaluates all rules in configuration file in same phase? >=20 > Regards, >=20 > Tonino >=20 > > > > > > Greg > > > > > >> -----Original Message----- > >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > >> pf@freebsd.org] On Behalf Of Tonix (Antonio Nati) > >> Sent: Friday, 20 July 2012 1:25 AM > >> To: freebsd-pf@freebsd.org > >> Subject: Question on packet filter using in and out interfaces > >> > >> I have a basic question is on usage of 'in' or 'out' interfaces, on > >> practical usage. > >> > >> I'm having some talks in PFsense mailing list, and I'm saying there is > >> no security difference about using rulesets on output interfaces or o= n > >> input interfaces, as PF is evaluating all rules in the same phase. > >> > >> At the opposite, I'm told all 'in' rules are evaluated first, than the= re > >> is a routing phase, then the 'out' rules are finally evaluated, so it > >> is more secure to have only filters on 'in' interfaces. > >> > >> Which is the real situation? Does really Packet Filter has any securit= y > >> advantage having only 'in' rules, or there is no difference on using o= ut > >> interface instead of in interface? > >> > >> All start from consideration that using out interfaces would semplify = a > >> lot management of complex environments, with interfaces dedicated to > >> different customers (one OUT rule on specific interface instead of > >> several IN rules on all other interfaces). > >> > >> Thanks for any clear answer you can give. > >> > >> Regards, > >> > >> Tonino > >> > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > >=20 >=20 > -- > ------------------------------------------------------------ > Inter@zioni Interazioni di Antonio Nati > http://www.interazioni.it tonix@interazioni.it > ------------------------------------------------------------ >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241>