Il 04/07/2012 15:41, Giles Coochey ha scritto:
On 04/07/2012 11:06, Tonix (Antonio Nati) wrote:
Il 04/07/2012 11:44, Ermal Luçi ha scritto:
On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati)
<[email protected]> wrote:
Il 02/07/2012 15:51, Jim Pingle ha scritto:
On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote:
Too much confusion in keeping filters tables,
Switching how the entire firewall operates is also very confusing and
not likely to do what people expect -- floating rules would be much
easier to understand than you expect (if the list were cleaned up
a bit)
and no possibility to let a user to manage his/her interface.
That's not even possible now, and would be just as difficult/easy to
implement on the floating tab as any other. (If a user can only see
interface X, only show the rules for interface X, done.)
Would it be possible to have a technical answer about using OUTPUT
interfaces rules instead of INPUT interfaces rules?
What should change dramatically inside pfsense, and there is any real
security reason for not doing that?
As far as I can see PF filtering, both INPUT and OUTPUT interfaces
rules
would be evaluated in same place.
Definition of same place is not correct here.
While its true that all rules are in the same place(data structure),
on stateful firewalls they get evaluated only once that is why it is
not considered to split them out.
Also there are optimizations that make this not a factor at all in
evaluation of ruleset.
Certainly it is recommended to kill mosquitoes before they come to
you :)
Though its mostly performance reasons because the packets than will
consume to much CPU and open possibility of DoS.
Although there is the other reason of buffer overflows and exploits.
Wrongly crafted packets might crash your host or even make it
vulnerable to exploits while with filtering on inbound you reduce this
risk
by at least making sure the sanity of network metadata(packet headers,
ips, etc).
Sorry, but you did not answer my question. Your comments are general
security comments but do not answer to the central question.
Once you have an incoming connection (first time) to, let's say from
INT X to INT Y, dest IP Z, dest port P, will these alternative rules
be evaluated in same moment or not?
- Evaluate INPUT on INT X, dest IP Z, dest port P
- Evaluate OUTPUT on INT Y, dest IP Z, dest port P
If the answer is YES, there is no added security risk on preferring
filering rules on OUTPUT interface. Both INPUT and OUTPUT have same
risks.
If the answer is NOT, please explain where and why INPUT and OUPUT
are evaluated in different phases.
Regards,
Tonino
My firewall has four interfaces.
A packet arrives on one interface
At this stage it is impossible for the firewall to apply a rule based
on the outbound interface because which interface that is has not been
evaluated yet. It is not until the packet is processed that the
outbound interface is determined.
It is however, able to make a decision on rules applied on the INBOUND
interface, because that is a known fact.
Simples.
As a general rule, best practices state, that if you are going to drop
/ filter packets on your network, do so as close to the source as
possible. This applies within systems as well as on the wire.
I'd say NOT - INPUT is evaluated upon Input, OUTPUT is evaluated upon
Output - my guess as the reason they decided to call them INPUT and
OUTPUT.
Your theory is perfect, and I agree totally with you. But reading PF
manuals gave me a different vision of how PF acts.
Are you sure PF acts exactly like you are explaining?
Regards,
Tonino
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it [email protected]
------------------------------------------------------------
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
