Packet Path Through PF (onec for each interface?)
Greg Hennessy
Greg.Hennessy at nviz.net
Wed May 16 20:22:43 UTC 2007
>
> Does a packet being routed from em0 to em1 pass through PF twice?
>
PF does both ingress and egress filtering, this explains it far better than
I could.
http://homepage.mac.com/quension/pf/flow.png
>
> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port
> 22 keep state
> pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24
> port
> 22 keep state
>
> block in log inet from any to any
> block out log inet from any to any
>
>
> In the second rule this indicates that the packet passes through PF
> once
> for each interface that it passes through, is this correct?
>
A filtering rule without direction will match both ingress and egress flows.
A PF policy will block by default if the 1st rule is.
block log all
One way of minimising the number of rules required is to use a tagged
generic egress rule on each interface.
e.g
pass in quick on int1 $TCP .... $KSF tag outbound
pass in quick on int2 $TCP .... $KSF state tag outbound
.
.
.
.
.
.
pass out quick on int3 .... $KSF tagged outbound
where
KSF="keep state flags S/SA"
TCP="inet proto tcp"
Greg
More information about the freebsd-pf
mailing list