pf best practices: in or out
Jason Tubnor
jason at tubnor.net
Mon Jun 25 06:56:18 UTC 2018
Hi Ari,
In most cases, block all and then perform conditional pass in on traffic.
Depending on your requirements you would conclude your rules with explicit
pass out or just a general pass out 'all' (the former in the newer syntax
of PF allows you to control queues, operational tags etc - but that won't
help you with the current implementation of PF in FreeBSD).
DNAT isn't a thing in PF (I assume you were looking how you'd do it if you
were coming from Linux). Incoming will manipulate where required when rdr
etc. Only outbound needs NAT binding.
Cheers,
Jason.
On 25 June 2018 at 14:12, Aristedes Maniatis <ari at ish.com.au> wrote:
> Hi all
>
> pf has rules that can operate either 'in' or 'out'. That is, on traffic
> entering or leaving an interface. I'm trying to consolidate my rules to
> make them easier to understand and update, so it seems a bit pointless to
> have the same rules twice.
>
> Are there any best practices on whether it makes more sense to put rules
> on the in or out side? I could bind all the rules to the internet facing
> interface and then use "in" for inbound traffic and "out" for outbound.
> Does that makes sense? Does it make any difference from a performance point
> of view?
>
> Secondly, where do DNAT rules execute in the sequence? Do they change the
> destination IP in between the in and out pass pf rules?
>
>
> I'm not currently subscribed here, so please cc me on replies.
>
> Thanks
>
> Ari
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
--
"If my calculations are correct, when this baby hits 88MPH, you're gonna to
see some serious shit" - Emmett "Doc" Brown
More information about the freebsd-stable
mailing list