From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 09:55:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5A77106564A for ; Mon, 23 Jul 2012 09:55:17 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 2CD098FC14 for ; Mon, 23 Jul 2012 09:55:16 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q6N9t9N8018754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Jul 2012 11:55:10 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q6N9t9cE026308; Mon, 23 Jul 2012 11:55:09 +0200 (MEST) Date: Mon, 23 Jul 2012 11:55:09 +0200 From: Daniel Hartmeier To: "Tonix (Antonio Nati)" Message-ID: <20120723095509.GB32530@insomnia.benzedrine.cx> References: <500826BD.3070602@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D26F80@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AB340.2040405@interazioni.it> <9EB23F6C23A8B6488E8BCC92A48E83264BB4D27241@PEMEXMBXVS04.jellyfishnet.co.uk.local> <500AC91F.9090907@interazioni.it> <20120721182316.GA32530@insomnia.benzedrine.cx> <500D1B57.8080405@interazioni.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <500D1B57.8080405@interazioni.it> User-Agent: Mutt/1.5.12-2006-07-14 Cc: "freebsd-pf@freebsd.org" Subject: Re: Question on packet filter using in and out interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 09:55:17 -0000 On Mon, Jul 23, 2012 at 11:37:27AM +0200, Tonix (Antonio Nati) wrote: > What it is not clear to me is related to in/out rules evaluation. > > Diagram starts obviously from the packet entering the system, until the > packet exits the system. When the packet enters the system, which rules > are evaluated? All rules related to interface, both for IN and OUT? Or > only IN? During both phases (first incoming on one interface, then outgoing on the other interface), all rules are evaluated. Rules can omit the direction (e.g. 'pass from src to dst'), and such rules can match in either phase, or both. If rules do specify a direction (e.g. 'pass in from src to dst'), they are still evaluated during both in and out phase, but they cannot possibly match during the wrong phase. > PF manual says all rules in pf.conf are evaluated, so I suppose all > rules applying to that interface are evaluated... or only IN rules are > evaluated in this first step, and only OUT rules are evaluated in second > step? There isn't really any difference: while all rules are evaluated, only the IN rules can possibly match (in the first step), so there's no way you notice the OUT rules are being evaluated... Daniel