Question on packet filter using in and out interfaces

Tonix (Antonio Nati) tonix at interazioni.it
Sat Jul 21 15:22:12 UTC 2012 

If you can provide a link to this PF diagram it would be very useful.

Regards,

Tonino

Il 21/07/2012 15:58, Greg Hennessy ha scritto:
> As I recall there is a diagram out there which detail the packet flow starting with the ingress interface.
>
> It'll explain what gets evaluated where. Bear in mind the effect of the 'quick' keyword. Something I tend to always use.
>
> Regards
>
> Greg
>
>
>> -----Original Message-----
>> From: Tonix (Antonio Nati) [mailto:tonix at interazioni.it]
>> Sent: Saturday, 21 July 2012 11:49 PM
>> To: Greg Hennessy
>> Cc: freebsd-pf at freebsd.org
>> Subject: Re: Question on packet filter using in and out interfaces
>>
>> Il 20/07/2012 02:44, Greg Hennessy ha scritto:
>>> For PF I would tend to filter in the ingress interface, tag flows passed by
>> policy and put a generic pass rule on the egress interface permitting the
>> tagged flow.
>>>
>>> The only exception would be assignment of specific flows for shaping.
>>
>> Please see answer on other thread. If PF evaluates rules all together,
>> there would be no security difference on using IN or OUT rules.
>>
>> Or does PF not evaluates all rules in configuration file in same phase?
>>
>> Regards,
>>
>> Tonino
>>
>>>
>>>
>>> Greg
>>>
>>>
>>>> -----Original Message-----
>>>> From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-
>>>> pf at freebsd.org] On Behalf Of Tonix (Antonio Nati)
>>>> Sent: Friday, 20 July 2012 1:25 AM
>>>> To: freebsd-pf at freebsd.org
>>>> Subject: Question on packet filter using in and out interfaces
>>>>
>>>> I have a basic question is on usage of 'in' or 'out' interfaces, on
>>>> practical usage.
>>>>
>>>> I'm having some talks in PFsense mailing list, and I'm saying there is
>>>> no security difference  about using rulesets on output interfaces or on
>>>> input interfaces, as PF is evaluating all rules in the same phase.
>>>>
>>>> At the opposite, I'm told all 'in' rules are evaluated first, than there
>>>> is a routing phase, then the 'out'  rules are finally evaluated, so it
>>>> is more secure to have only filters on 'in' interfaces.
>>>>
>>>> Which is the real situation? Does really Packet Filter has any security
>>>> advantage having only 'in' rules, or there is no difference on using out
>>>> interface instead of in interface?
>>>>
>>>> All start from consideration that using out interfaces would semplify a
>>>> lot management of complex environments, with interfaces dedicated to
>>>> different customers (one OUT rule on specific interface instead of
>>>> several IN rules on all other interfaces).
>>>>
>>>> Thanks for any clear answer you can give.
>>>>
>>>> Regards,
>>>>
>>>> Tonino
>>>>
>>>>
>>>> _______________________________________________
>>>> freebsd-pf at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>
>>
>>
>> --
>> ------------------------------------------------------------
>>           Inter at zioni            Interazioni di Antonio Nati
>>      http://www.interazioni.it      tonix at interazioni.it
>> ------------------------------------------------------------
>>
>
>


-- 
------------------------------------------------------------
         Inter at zioni            Interazioni di Antonio Nati
    http://www.interazioni.it      tonix at interazioni.it
------------------------------------------------------------

More information about the freebsd-pf mailing list