On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati) <[email protected]> wrote: > Il 02/07/2012 15:51, Jim Pingle ha scritto: > >> On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote: >>> >>> Too much confusion in keeping filters tables, >> >> Switching how the entire firewall operates is also very confusing and >> not likely to do what people expect -- floating rules would be much >> easier to understand than you expect (if the list were cleaned up a bit) >> >>> and no possibility to let a user to manage his/her interface. >> >> That's not even possible now, and would be just as difficult/easy to >> implement on the floating tab as any other. (If a user can only see >> interface X, only show the rules for interface X, done.) > > > Would it be possible to have a technical answer about using OUTPUT > interfaces rules instead of INPUT interfaces rules? > What should change dramatically inside pfsense, and there is any real > security reason for not doing that? > > As far as I can see PF filtering, both INPUT and OUTPUT interfaces rules > would be evaluated in same place. >
Definition of same place is not correct here. While its true that all rules are in the same place(data structure), on stateful firewalls they get evaluated only once that is why it is not considered to split them out. Also there are optimizations that make this not a factor at all in evaluation of ruleset. Certainly it is recommended to kill mosquitoes before they come to you :) Though its mostly performance reasons because the packets than will consume to much CPU and open possibility of DoS. Although there is the other reason of buffer overflows and exploits. Wrongly crafted packets might crash your host or even make it vulnerable to exploits while with filtering on inbound you reduce this risk by at least making sure the sanity of network metadata(packet headers, ips, etc). > Regards, > > Tonino > > > >> Jim >> >> >> >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> > > > -- > ------------------------------------------------------------ > Inter@zioni Interazioni di Antonio Nati > http://www.interazioni.it [email protected] > ------------------------------------------------------------ > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
