pf best practices: in or out

Aristedes Maniatis ari at ish.com.au
Mon Jun 25 07:19:36 UTC 2018 

Thanks Jason,

So in essence, you'd just control everything on the 'pass in'. I'm 
assuming all traffic originating from the local machine is still hitting 
a pass in rule on some interface corresponding to the source IP address?

DNAT is working fine for me in pf, although I understand it is named rdr.


What is the use case for using pass out rules instead of pass in rules?

Cheers

Ari

On 25/6/18 4:55pm, Jason Tubnor wrote:
> Hi Ari,
>
> In most cases, block all and then perform conditional pass in on 
> traffic.  Depending on your requirements you would conclude your rules 
> with explicit pass out or just a general pass out 'all' (the former in 
> the newer syntax of PF allows you to control queues, operational tags 
> etc - but that won't help you with the current implementation of PF in 
> FreeBSD).
>
> DNAT isn't a thing in PF (I assume you were looking how you'd do it if 
> you were coming from Linux).  Incoming will manipulate where required 
> when rdr etc. Only outbound needs NAT binding.
>
> Cheers,
>
> Jason.
>
> On 25 June 2018 at 14:12, Aristedes Maniatis <ari at ish.com.au 
> <mailto:ari at ish.com.au>> wrote:
>
>     Hi all
>
>     pf has rules that can operate either 'in' or 'out'. That is, on
>     traffic entering or leaving an interface. I'm trying to
>     consolidate my rules to make them easier to understand and update,
>     so it seems a bit pointless to have the same rules twice.
>
>     Are there any best practices on whether it makes more sense to put
>     rules on the in or out side? I could bind all the rules to the
>     internet facing interface and then use "in" for inbound traffic
>     and "out" for outbound. Does that makes sense? Does it make any
>     difference from a performance point of view?
>
>     Secondly, where do DNAT rules execute in the sequence? Do they
>     change the destination IP in between the in and out pass pf rules?
>
>
>     I'm not currently subscribed here, so please cc me on replies.
>
>     Thanks
>
>     Ari
>
>     _______________________________________________
>     freebsd-stable at freebsd.org <mailto:freebsd-stable at freebsd.org>
>     mailing list
>     https://lists.freebsd.org/mailman/listinfo/freebsd-stable
>     <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>
>     To unsubscribe, send any mail to
>     "freebsd-stable-unsubscribe at freebsd.org
>     <mailto:freebsd-stable-unsubscribe at freebsd.org>"
>
>
>
>
> -- 
> "If my calculations are correct, when this baby hits 88MPH, you're 
> gonna to see some serious shit" - Emmett "Doc" Brown

More information about the freebsd-stable mailing list