Re: [pfSense] pfSense vs JunOS

Mon, 02 Jul 2012 06:37:10 -0700 

Il 02/07/2012 15:00, Giles Coochey ha scritto:

On 02/07/2012 13:41, Tonix (Antonio Nati) wrote:



I've suggested (both for pfSense and Monowall) to give the 
possibility to invert the filtering directions.



In complex environment, it would be a lot more useful to apply 
filters to outgoing interfaces (instead of incoming interfaces).
In this way you write only one statement and only for the interface 
which is managing the output zone.



If this basic system setting (apply filters to incoming or outgoing 
interfaces) could be modified, I'm sure all ISP will apply filters to 
outgoing interfaces.



With output filters, interface management could also be allowed per 
user, as it would not interphere with other interfaces.

In some environments this might cause a performance issue and perhaps 
easier to DoS


In an outbound filtering scenario:


If you think about it, the firewall looks at the packet, processes it 
(NATs & routes it appropriately etc...) then when it goes to transmit 
the packet only then does it check the outbound ruleset and makes the 
decision to drop the packet - but it already wasted quite a few CPU 
loops before deciding to drop the packet.



In an inbound filtering scenario the packet is dropped or accepted 
prior to any of routing, NAT etc... and a lot fewer CPU instructions 
are wasted.


Just a thought?



I would be not so sure about that.


When I gave an inside look at PF, some years ago, I had the perception 
filters are evaluated all together in the same place, despite they are 
ingoing or outgoing.  You can even mix incomin and outgoing interfaces 
in the filter flow you design.



As far as I remember PF does let you specify INPUT or OUTPUT interface, 
but not INPUT and OUTPUT.


Tonino





_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list



--
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati
   http://www.interazioni.it      [email protected]
------------------------------------------------------------


_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list























					Reply via email to