Re: Question on packet filter using in and out interfaces

Daniel. thanks for detailed explanations! Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it

Re: Question on packet filter using in and out interfaces

On Mon, Jul 23, 2012 at 01:32:07PM +0200, Tonix (Antonio Nati) wrote: > I have customers which should be allowed to go whetever they like and > accept from all. > > So I'd love to make something like this: > > - deny on INPUT WAN from hackers/abusers > - allow any other INPUT on WAN > - allow a

Re: Question on packet filter using in and out interfaces

Sorry, gorgot a basic rule! Il 23/07/2012 13:26, Tonix (Antonio Nati) ha scritto: Il 23/07/2012 13:13, Daniel Hartmeier ha scritto: On Mon, Jul 23, 2012 at 12:53:41PM +0200, Tonix (Antonio Nati) wrote: So, does that mean the OUT phase evaluation always occurs when IN phase has been positive (

Re: Question on packet filter using in and out interfaces

Il 23/07/2012 13:13, Daniel Hartmeier ha scritto: On Mon, Jul 23, 2012 at 12:53:41PM +0200, Tonix (Antonio Nati) wrote: So, does that mean the OUT phase evaluation always occurs when IN phase has been positive (packet should pass)? Yes. You have to both allow a packet in on the first interfac

Re: Question on packet filter using in and out interfaces

On Mon, Jul 23, 2012 at 12:53:41PM +0200, Tonix (Antonio Nati) wrote: > So, does that mean the OUT phase evaluation always occurs when IN phase > has been positive (packet should pass)? Yes. You have to both allow a packet in on the first interface and out on the second interface. If you forget/

Re: Question on packet filter using in and out interfaces

Il 23/07/2012 11:55, Daniel Hartmeier ha scritto: On Mon, Jul 23, 2012 at 11:37:27AM +0200, Tonix (Antonio Nati) wrote: What it is not clear to me is related to in/out rules evaluation. Diagram starts obviously from the packet entering the system, until the packet exits the system. When the pa

Re: Question on packet filter using in and out interfaces

On Mon, Jul 23, 2012 at 11:37:27AM +0200, Tonix (Antonio Nati) wrote: > What it is not clear to me is related to in/out rules evaluation. > > Diagram starts obviously from the packet entering the system, until the > packet exits the system. When the packet enters the system, which rules > are e

Re: Question on packet filter using in and out interfaces

Il 21/07/2012 20:23, Daniel Hartmeier ha scritto: On Sat, Jul 21, 2012 at 05:22:07PM +0200, Tonix (Antonio Nati) wrote: If you can provide a link to this PF diagram it would be very useful. A copy is preserved on http://www.benzedrine.cx/pf_flow.png Yes, there are two phases. HTH, Daniel

Re: Question on packet filter using in and out interfaces

That is a very helpful diagram. There are two aspects that I don't see directly addressed. 1. For packets ultimately delivered to processes on the system pf is running on, I suspect they get to the Kernel Processing box and then are directly delivered to the receiving process. The out phase

Re: Question on packet filter using in and out interfaces

On Sat, Jul 21, 2012 at 05:22:07PM +0200, Tonix (Antonio Nati) wrote: > If you can provide a link to this PF diagram it would be very useful. A copy is preserved on http://www.benzedrine.cx/pf_flow.png Yes, there are two phases. HTH, Daniel ___ freebs

Re: Question on packet filter using in and out interfaces

: owner-freebsd...@freebsd.org [mailto:owner-freebsd- p...@freebsd.org] On Behalf Of Tonix (Antonio Nati) Sent: Friday, 20 July 2012 1:25 AM To: freebsd-pf@freebsd.org Subject: Question on packet filter using in and out interfaces I have a basic question is on usage of 'in' or 'out' i

RE: Question on packet filter using in and out interfaces

> From: Tonix (Antonio Nati) [mailto:to...@interazioni.it] > Sent: Saturday, 21 July 2012 11:49 PM > To: Greg Hennessy > Cc: freebsd-pf@freebsd.org > Subject: Re: Question on packet filter using in and out interfaces > > Il 20/07/2012 02:44, Greg Hennessy ha scritto: > >

Re: Question on packet filter using in and out interfaces

[mailto:owner-freebsd- p...@freebsd.org] On Behalf Of Tonix (Antonio Nati) Sent: Friday, 20 July 2012 1:25 AM To: freebsd-pf@freebsd.org Subject: Question on packet filter using in and out interfaces I have a basic question is on usage of 'in' or 'out' interfaces, on practical usage. I

Re: Question on packet filter using in and out interfaces

Il 19/07/2012 18:51, Hooman Fazaeli ha scritto: On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote: Which is the real situation? Does really Packet Filter has any security advantage having only 'in' rules, or there is no difference on using out interface instead of in interface? All start from

RE: Question on packet filter using in and out interfaces

reebsd...@freebsd.org [mailto:owner-freebsd- > p...@freebsd.org] On Behalf Of Tonix (Antonio Nati) > Sent: Friday, 20 July 2012 1:25 AM > To: freebsd-pf@freebsd.org > Subject: Question on packet filter using in and out interfaces > > I have a basic question is on usage of 

Re: Question on packet filter using in and out interfaces

On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote: Which is the real situation? Does really Packet Filter has any security advantage having only 'in' rules, or there is no difference on using out interface instead of in interface? All start from consideration that using out interfaces would

Question on packet filter using in and out interfaces

I have a basic question is on usage of 'in' or 'out' interfaces, on practical usage. I'm having some talks in PFsense mailing list, and I'm saying there is no security difference about using rulesets on output interfaces or on input interfaces, as PF is evaluating all rules in the same phase.