Re: Question on packet filter using in and out interfaces

Sat, 21 Jul 2012 06:48:05 -0700 

Il 19/07/2012 18:51, Hooman Fazaeli ha scritto:



On 7/19/2012 7:54 PM, Tonix (Antonio Nati) wrote:


Which is the real situation? Does really Packet Filter has any
security advantage having only 'in' rules, or there is no difference
on using out interface instead of in interface?

All start from consideration that using out interfaces would semplify
a lot management of complex environments, with interfaces dedicated to
different customers (one OUT rule on specific interface instead of
several IN rules on all other interfaces).




- Regardless of type, a firewall must be able to perform filtering on
both IN and OUT directions.
For instance, consider a firewall acting as IPSec gateway. The traffic
comes IN encrypted. Here, you
have the chance to filter traffic based on external tunnel addresses.
Then the firewall
decrypts the traffic, and forward it to the Internet. Here you have the
opportunity
to filter based on internal packet headers and plain text content.

- IN may be preferred if a specific set of packets can be blocked on
both IN and OUT.
All the CPU cycles allocated to forwarding is wasted if you postpone
blocking
until packets reach to OUT level. This, for instance, makes firewall less
tolerant to DoS attacks.





I'd love not a theoric answer, but a practical answer based on how PF works.


In PF manual, I read all rules contained in rules file are evaluated all 
together, so it looks like PF does not make a real difference about IN 
our OUT, but just it follows the order in which rules are listed in 
configuration file.


Is that true?


If PF follows the order of rules as listed in configuration file, there 
is no difference about using a IN or OUT rule, as the evaluation is done 
in the same phase for all.



If, instead, IN and OUT rules are evaluated in different phases, than I 
miss somethink in manuals...


Regards,

Tonino






--
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati
   http://www.interazioni.it      [email protected]
------------------------------------------------------------


_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"






















					Reply via email to