Thanks Jason,
So in essence, you'd just control everything on the 'pass in'. I'm
assuming all traffic originating from the local machine is still hitting
a pass in rule on some interface corresponding to the source IP address?
DNAT is working fine for me in pf, although I understand it is named rdr.
What is the use case for using pass out rules instead of pass in rules?
Cheers
Ari
On 25/6/18 4:55pm, Jason Tubnor wrote:
Hi Ari,
In most cases, block all and then perform conditional pass in on
traffic. Depending on your requirements you would conclude your rules
with explicit pass out or just a general pass out 'all' (the former in
the newer syntax of PF allows you to control queues, operational tags
etc - but that won't help you with the current implementation of PF in
FreeBSD).
DNAT isn't a thing in PF (I assume you were looking how you'd do it if
you were coming from Linux). Incoming will manipulate where required
when rdr etc. Only outbound needs NAT binding.
Cheers,
Jason.
On 25 June 2018 at 14:12, Aristedes Maniatis <[email protected]
<mailto:[email protected]>> wrote:
Hi all
pf has rules that can operate either 'in' or 'out'. That is, on
traffic entering or leaving an interface. I'm trying to
consolidate my rules to make them easier to understand and update,
so it seems a bit pointless to have the same rules twice.
Are there any best practices on whether it makes more sense to put
rules on the in or out side? I could bind all the rules to the
internet facing interface and then use "in" for inbound traffic
and "out" for outbound. Does that makes sense? Does it make any
difference from a performance point of view?
Secondly, where do DNAT rules execute in the sequence? Do they
change the destination IP in between the in and out pass pf rules?
I'm not currently subscribed here, so please cc me on replies.
Thanks
Ari
_______________________________________________
[email protected] <mailto:[email protected]>
mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
<https://lists.freebsd.org/mailman/listinfo/freebsd-stable>
To unsubscribe, send any mail to
"[email protected]
<mailto:[email protected]>"
--
"If my calculations are correct, when this baby hits 88MPH, you're
gonna to see some serious shit" - Emmett "Doc" Brown
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
