Question on packet filter using in and out interfaces

[Greg Hennessy]

For PF I would tend to filter in the ingress interface, tag flows passed by policy and put a generic pass rule on the egress interface permitting the tagged flow. 

The only exception would be assignment of specific flows for shaping. 


Greg


> -----Original Message-----
> From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-
> pf at freebsd.org] On Behalf Of Tonix (Antonio Nati)
> Sent: Friday, 20 July 2012 1:25 AM
> To: freebsd-pf at freebsd.org
> Subject: Question on packet filter using in and out interfaces
> 
> I have a basic question is on usage of 'in' or 'out' interfaces, on
> practical usage.
> 
> I'm having some talks in PFsense mailing list, and I'm saying there is
> no security difference  about using rulesets on output interfaces or on
> input interfaces, as PF is evaluating all rules in the same phase.
> 
> At the opposite, I'm told all 'in' rules are evaluated first, than there
> is a routing phase, then the 'out'  rules are finally evaluated, so it
> is more secure to have only filters on 'in' interfaces.
> 
> Which is the real situation? Does really Packet Filter has any security
> advantage having only 'in' rules, or there is no difference on using out
> interface instead of in interface?
> 
> All start from consideration that using out interfaces would semplify a
> lot management of complex environments, with interfaces dedicated to
> different customers (one OUT rule on specific interface instead of
> several IN rules on all other interfaces).
> 
> Thanks for any clear answer you can give.
> 
> Regards,
> 
> Tonino
> 
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"