[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf(4) schemantics

While working on a pf(4) tutorial/article, I started wondering about the following,
1. What's the reason why packets 'travel' across an interface twice
(both in and out)? This makes, IMHO, writing very tight rules a bit
tricky. Especially if you want to start off with 'block all'.
2. Say I 'block all' and then want to pass some traffic from $net_a to
$net_b. First, I need 2 rules to allow {in,out} traffic from $net_a and
then 2 rules to allow {in,out} traffic back from $net_b. Sure, you can
group the {in,out} rules in one, i.e. pass from $net_a to $net_b.
Now, what could be very nice is to pf(4) behave more like the following,
- from pf(4) point of view, there is only inbound traffic from an
  interface. I.e. all traffic originating from $net_a towards other
  networks is always inbound for pf(4).
- when I write a rule like 'pass from $net_a to $net_b', I don't need
  to write another rule saying 'pass from $net_b to $net_a'. pf(4) takes
  care of that (we are statefull, right?)
- say I have 5 interfaces (or 10 VLANs) I filter on. However, not all of
  the networks need to talk to each other. I.e. I could have a $net_c
  that will not talk to $net_a, but will talk to $net_b. It could be
  nice to be able to define this. Otherwise, the traffic never gets
  routed by pf(4).
People that know a certain commerical firewall will recognize this
behaviour. Don't get me wrong, I love pf(4), but there might be room for
// haver