Date: Mon, 25 Jun 2018 17:44:17 +1000 From: Aristedes Maniatis <ari@ish.com.au> To: Walter Parker <walterp@gmail.com>, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: pf best practices: in or out Message-ID: <a23c92e1-a59d-068f-50ff-79715452a704@ish.com.au> In-Reply-To: <CAMPTd_D9S2zSSCRn28U3hZW32S1UwJwuWn2c2cAcwn%2Bf4ActCA@mail.gmail.com> References: <1a730ca1-8c9e-9a9b-72e5-696fb92c8e49@ish.com.au> <CACLnyCLmwxGotsahEPfaVZGuEXNe0CdVeJRdXscYFU=1tkk7Jw@mail.gmail.com> <d218fbed-09c2-0715-643f-0772956a501c@ish.com.au> <CAMPTd_D9S2zSSCRn28U3hZW32S1UwJwuWn2c2cAcwn%2Bf4ActCA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25/6/18 5:30pm, Walter Parker wrote: > The use case for pass out rules would be to block local processes on > the box from making external connections to other servers. > This is useful if you don't fully trust users or software running on > your equipment. Also, this would useful to preemptively block ports > that would be useful in DDOS attacks. Ah, then I misunderstood what pass-in and pass-out meant. I thought those words referred to the interface, so it would hit pass-in to the interface even if coming from a local process. In that case I'm better writing all my outbound rules as pass-out so as to equally filter traffic from the internal network and local firewall machine. Ari
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a23c92e1-a59d-068f-50ff-79715452a704>