Question on packet filter using in and out interfaces
Daniel Hartmeier
daniel at benzedrine.cx
Mon Jul 23 12:05:26 UTC 2012
On Mon, Jul 23, 2012 at 01:32:07PM +0200, Tonix (Antonio Nati) wrote:
> I have customers which should be allowed to go whetever they like and
> accept from all.
>
> So I'd love to make something like this:
>
> - deny on INPUT WAN from hackers/abusers
> - allow any other INPUT on WAN
> - allow any OUTPUT to WAN
>
> - custom INPUT rules on all other interfaces
> - custom OUT rules on all other interfaces
>
> So, if a customer wants to allow anyone to access his port 80, he/she
> just add that OUT rule to his/her interface. And that avoids me to add
> the same rule to WAN and all remaining interfaces.
That will work just fine, assuming you don't run any services on the
firewall itself that need to be protected.
> Respect to the dominant model (i.e. which puts any rules on INPUT only),
> do you see any security hole? Or just some more processing?
It's just a matter of personal preference, combined with the fact that
other products don't offer the choice.
Generally, it makes sense to block packets "as early as possible" (i.e.
on input). But if you have specific reasons to do differently, that can
make sense, too :)
Daniel
More information about the freebsd-pf
mailing list