Best practice for blocking/passing in pf - BSD

This is a discussion on Best practice for blocking/passing in pf - BSD ; One great thing about pf is its flexibility; one bad thing about pf is its flexibility, =). I know that pf can filter by ingress or egress of an interface. Rather than try to match up ingress and egress rules, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Best practice for blocking/passing in pf

  1. Best practice for blocking/passing in pf

    One great thing about pf is its flexibility; one bad thing about pf is its
    flexibility, =).

    I know that pf can filter by ingress or egress of an interface. Rather
    than try to match up ingress and egress rules, I allow all outbound
    connections and filter by packets coming in.

    Is that a good practice or is there a better way to approach it?

  2. Re: Best practice for blocking/passing in pf

    Johnny Kim wrote:
    > One great thing about pf is its flexibility; one bad thing about pf is its
    > flexibility, =).
    >
    > I know that pf can filter by ingress or egress of an interface. Rather
    > than try to match up ingress and egress rules, I allow all outbound
    > connections and filter by packets coming in.
    >
    > Is that a good practice or is there a better way to approach it?


    pf(4) filters packets once, not twice - even when forwarding. Filter on
    the interface the packets hit first.

    Outbound filtering is useful if an attacker could conceivably compromise
    the machine, without gaining root. Thus, it is very useful on a shared
    hosting server, where lots of stupid PHP scripts will allow for easy
    remote code execution. It might not be required on a firewall that is
    tightly locked down and offers no services - only kernel-level
    compromises are left, and once an attacker succeeds in that, pf isn't
    going to help you.

    Joachim

+ Reply to Thread