PF sanity check
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Sun Oct 27 22:03:33 UTC 2013
Dnia niedziela, 27 października 2013 o 16:33:23 Rumen Telbizov napisał(a):
> > The question is: Is keeping two states for one connection a bad thing or
> > is
> >
> > > it an acceptable practice ?
> >
> > It's rather a requirement. A packet incoming on one interface creates a
> > different state than the same packet outgoing on other interface (even
> > without
> > if-bound state policy). And you want further, reverse direction packets
> > in connections to be matched to existing states and passed instead of
> > traversing
> > rule list or hitting the block rule.
>
> Cool. I know the states are different (due to direction differences) but I
> was wondering if
> there was a way around that to save on the number of states and somehow get
> away with
> only 1 state. So now I understand having two states per connection is fine.
Why shouldn't it be? Searching through states is quite fast. Even with hundreds
of thousands of states much faster than going through a few hundreds of rules,
from my experience.
> I was more curious to know what you and other folks think regarding my
> first question:
>
> *Is there any security risk in me allowing the traffic pass the external
> interface and then dropping it on the internal interface?*
That depends if the traffic from the Internet can hit the router's IP stack
directly. For example if you assign public IPs of servers in VLANs to the
router's $ext_if and use nat or route-to to forward traffic to VLANs. Whatever
does not hit those rules but is passed on $ext_if, will hit the router itself
in such case.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
More information about the freebsd-pf
mailing list