On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote:
Which is the real situation? Does really Packet Filter has any security
advantage having only 'in' rules, or there is no difference on using out
interface instead of in interface?
All start from consideration that using out interfaces would semplify a lot management of complex environments, with interfaces dedicated to different customers (one OUT rule on specific interface
instead of several IN rules on all other interfaces).
- Regardless of type, a firewall must be able to perform filtering on both IN
and OUT directions.
For instance, consider a firewall acting as IPSec gateway. The traffic comes IN
encrypted. Here, you
have the chance to filter traffic based on external tunnel addresses. Then the
firewall
decrypts the traffic, and forward it to the Internet. Here you have the
opportunity
to filter based on internal packet headers and plain text content.
- IN may be preferred if a specific set of packets can be blocked on both IN
and OUT.
All the CPU cycles allocated to forwarding is wasted if you postpone blocking
until packets reach to OUT level. This, for instance, makes firewall less
tolerant to DoS attacks.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
