For PF I would tend to filter in the ingress interface, tag flows passed by policy and put a generic pass rule on the egress interface permitting the tagged flow.
The only exception would be assignment of specific flows for shaping. Greg > -----Original Message----- > From: [email protected] [mailto:owner-freebsd- > [email protected]] On Behalf Of Tonix (Antonio Nati) > Sent: Friday, 20 July 2012 1:25 AM > To: [email protected] > Subject: Question on packet filter using in and out interfaces > > I have a basic question is on usage of 'in' or 'out' interfaces, on > practical usage. > > I'm having some talks in PFsense mailing list, and I'm saying there is > no security difference about using rulesets on output interfaces or on > input interfaces, as PF is evaluating all rules in the same phase. > > At the opposite, I'm told all 'in' rules are evaluated first, than there > is a routing phase, then the 'out' rules are finally evaluated, so it > is more secure to have only filters on 'in' interfaces. > > Which is the real situation? Does really Packet Filter has any security > advantage having only 'in' rules, or there is no difference on using out > interface instead of in interface? > > All start from consideration that using out interfaces would semplify a > lot management of complex environments, with interfaces dedicated to > different customers (one OUT rule on specific interface instead of > several IN rules on all other interfaces). > > Thanks for any clear answer you can give. > > Regards, > > Tonino > > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
