If you can provide a link to this PF diagram it would be very useful.
Regards,
Tonino
Il 21/07/2012 15:58, Greg Hennessy ha scritto:
As I recall there is a diagram out there which detail the packet flow starting
with the ingress interface.
It'll explain what gets evaluated where. Bear in mind the effect of the 'quick'
keyword. Something I tend to always use.
Regards
Greg
-----Original Message-----
From: Tonix (Antonio Nati) [mailto:[email protected]]
Sent: Saturday, 21 July 2012 11:49 PM
To: Greg Hennessy
Cc: [email protected]
Subject: Re: Question on packet filter using in and out interfaces
Il 20/07/2012 02:44, Greg Hennessy ha scritto:
For PF I would tend to filter in the ingress interface, tag flows passed by
policy and put a generic pass rule on the egress interface permitting the
tagged flow.
The only exception would be assignment of specific flows for shaping.
Please see answer on other thread. If PF evaluates rules all together,
there would be no security difference on using IN or OUT rules.
Or does PF not evaluates all rules in configuration file in same phase?
Regards,
Tonino
Greg
-----Original Message-----
From: [email protected] [mailto:owner-freebsd-
[email protected]] On Behalf Of Tonix (Antonio Nati)
Sent: Friday, 20 July 2012 1:25 AM
To: [email protected]
Subject: Question on packet filter using in and out interfaces
I have a basic question is on usage of 'in' or 'out' interfaces, on
practical usage.
I'm having some talks in PFsense mailing list, and I'm saying there is
no security difference about using rulesets on output interfaces or on
input interfaces, as PF is evaluating all rules in the same phase.
At the opposite, I'm told all 'in' rules are evaluated first, than there
is a routing phase, then the 'out' rules are finally evaluated, so it
is more secure to have only filters on 'in' interfaces.
Which is the real situation? Does really Packet Filter has any security
advantage having only 'in' rules, or there is no difference on using out
interface instead of in interface?
All start from consideration that using out interfaces would semplify a
lot management of complex environments, with interfaces dedicated to
different customers (one OUT rule on specific interface instead of
several IN rules on all other interfaces).
Thanks for any clear answer you can give.
Regards,
Tonino
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it [email protected]
------------------------------------------------------------
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it [email protected]
------------------------------------------------------------
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
