From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 11:13:51 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F1778106564A for ; Mon, 23 Jul 2012 11:13:50 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 57EFF8FC14 for ; Mon, 23 Jul 2012 11:13:50 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q6NBDn72004305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Jul 2012 13:13:49 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q6NBDndT008749; Mon, 23 Jul 2012 13:13:49 +0200 (MEST) Date: Mon, 23 Jul 2012 13:13:49 +0200 From: Daniel Hartmeier To: "Tonix (Antonio Nati)" Message-ID: <20120723111348.GD32530@insomnia.benzedrine.cx> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> <20120721182316.GA32530@insomnia.benzedrine.cx> <500D1B57.8080405@interazioni.it> <20120723095509.GB32530@insomnia.benzedrine.cx> <500D2D35.4070608@interazioni.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <500D2D35.4070608@interazioni.it> User-Agent: Mutt/1.5.12-2006-07-14 Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 11:13:51 -0000 On Mon, Jul 23, 2012 at 12:53:41PM +0200, Tonix (Antonio Nati) wrote: > So, does that mean the OUT phase evaluation always occurs when IN phase > has been positive (packet should pass)? Yes. You have to both allow a packet in on the first interface and out on the second interface. If you forget/omit the second part, the packet will get dropped (assuming a default block policy). > I'm thinking to management of a lot of interfaces, where one is the WAN, > and others are DMZ and/or customers dedicated subnets. > > I'd love to put basic protections on WAN input, and then permit all > other interfaces to define its own rules for packets coming/going > from/to the specific subnet. > > According to what I understand of your explanation, each interface could > have its own IN rules, and if the IN rules of a specific INPUT interface > are successfull, the OUT rules of the 'outgoing' interface are then > evaluated. Yes. Example: you want to prevent customers from talking to arbitrary SMTP hosts (prevent spam by forcing the use of a spam filtering proxy). You can block this with OUT rules on the WAN interface, i.e. by only allowing the proxy's source address to connect to external hosts' port 25. Even if customers can add pass rules for their respective interfaces, they cannot circumvent your OUT on WAN rules. > This would be wonderful, as each interface could have both IN and OUT > rules which do not interphere with or break other interfaces rules. And > would permit to write the most of rules just once, according to each > interface needs. Yes, that's the upside of filtering on both directions on all involved interfaces :) The downside is that you might have to add some redundancy in your rules: even if a customer adds 'pass out on DMZ to port 80' you'll also have to add 'pass out on WAN to port 80'. When a customer complains that something isn't working, you'll have to check both his interface's rules AND the WAN rules. Daniel