Il 04/07/2012 11:44, Ermal Luçi ha scritto:
On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati)
<[email protected]> wrote:
Il 02/07/2012 15:51, Jim Pingle ha scritto:
On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote:
Too much confusion in keeping filters tables,
Switching how the entire firewall operates is also very confusing and
not likely to do what people expect -- floating rules would be much
easier to understand than you expect (if the list were cleaned up a bit)
and no possibility to let a user to manage his/her interface.
That's not even possible now, and would be just as difficult/easy to
implement on the floating tab as any other. (If a user can only see
interface X, only show the rules for interface X, done.)
Would it be possible to have a technical answer about using OUTPUT
interfaces rules instead of INPUT interfaces rules?
What should change dramatically inside pfsense, and there is any real
security reason for not doing that?
As far as I can see PF filtering, both INPUT and OUTPUT interfaces rules
would be evaluated in same place.
Definition of same place is not correct here.
While its true that all rules are in the same place(data structure),
on stateful firewalls they get evaluated only once that is why it is
not considered to split them out.
Also there are optimizations that make this not a factor at all in
evaluation of ruleset.
Certainly it is recommended to kill mosquitoes before they come to you :)
Though its mostly performance reasons because the packets than will
consume to much CPU and open possibility of DoS.
Although there is the other reason of buffer overflows and exploits.
Wrongly crafted packets might crash your host or even make it
vulnerable to exploits while with filtering on inbound you reduce this
risk
by at least making sure the sanity of network metadata(packet headers,
ips, etc).
Sorry, but you did not answer my question. Your comments are general
security comments but do not answer to the central question.
Once you have an incoming connection (first time) to, let's say from INT
X to INT Y, dest IP Z, dest port P, will these alternative rules be
evaluated in same moment or not?
- Evaluate INPUT on INT X, dest IP Z, dest port P
- Evaluate OUTPUT on INT Y, dest IP Z, dest port P
If the answer is YES, there is no added security risk on preferring
filering rules on OUTPUT interface. Both INPUT and OUTPUT have same risks.
If the answer is NOT, please explain where and why INPUT and OUPUT are
evaluated in different phases.
Regards,
Tonino
Regards,
Tonino
Jim
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it [email protected]
------------------------------------------------------------
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it [email protected]
------------------------------------------------------------
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
