PF sanity check

[Kajetan Staszkiewicz]

Dnia niedziela, 27 października 2013 o 16:33:23 Rumen Telbizov napisał(a):

> > The question is: Is keeping two states for one connection a bad thing or
> > is
> > 
> > > it an acceptable practice ?
> > 
> > It's rather a requirement. A packet incoming on one interface creates a
> > different state than the same packet outgoing on other interface (even
> > without
> > if-bound state policy). And you want further, reverse direction packets
> > in connections to be matched to existing states and passed instead of
> > traversing
> > rule list or hitting the block rule.
> 
> Cool. I know the states are different (due to direction differences) but I
> was wondering if
> there was a way around that to save on the number of states and somehow get
> away with
> only 1 state. So now I understand having two states per connection is fine.

Why shouldn't it be? Searching through states is quite fast. Even with hundreds 
of thousands of states much faster than going through a few hundreds of rules, 
from my experience.

> I was more curious to know what you and other folks think regarding my
> first question:
> 
> *Is there any security risk in me allowing the traffic pass the external
> interface and then dropping it on the internal interface?*

That depends if the traffic from the Internet can hit the router's IP stack 
directly. For example if you assign public IPs of servers in VLANs to the 
router's $ext_if and use nat or route-to to forward traffic to VLANs. Whatever 
does not hit those rules but is passed on $ext_if, will hit the router itself 
in such case.

-- 
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'