PF Best `pf` Rule Format?

l008com

Member

Reaction score: 2
Messages: 33

As my rules get more complicated, i've gone from "from any", to "from ip-address", to "from en0". What I noticed is that when I specify via en0/en1, `pf` makes a rule for every IP address on that interface. Even though other IPs in my setup are covered by other rules. Including IPv6 addresses which I'm not even using. So using en0 as a from-specifier is creating double the amount of actual rules as shown via pfctl -si

So I am wondering if I should make all my rules so they specificy specific IP addresses instead? Reduce the total number of rules? Does that make sense? Is it pointless? I know these fairly simple firewall rules aren't exactly CPU hogs, but at the same time, a whole lot of packets are going through them so it does it make sense to optimize in this way? Or are other things going on that are not apparent, and this wouldn't actually affect the amount of processing going on at all?
 
OP
l008com

l008com

Member

Reaction score: 2
Messages: 33

I may have made my question sound more complicated than it is, so here are some example rules:

Code:
pass in quick proto tcp from any to en1 port { 80 443 } keep state
pass in quick proto tcp from any to en1 port { 25 80 443 587 993 } keep state

Versus doing this, assuming the IP is a real, valid public IP
Code:
pass in quick proto tcp from 192.168.5.6 to en1 port { 80 443 } keep state
pass in quick proto tcp from 192.168.5.6 to en1 port { 25 80 443 587 993 } keep state

The second option creates far fewer rules, as seen in
Code:
sudo pfctl -si
 

mickey

Aspiring Daemon

Reaction score: 310
Messages: 755

The second option creates far fewer rules
That is probably because specifying an IPv4 source address limits the choice of destination addresses on interface en1 to IPv4 addresses only, thereby excluding any IPv6 addresses that might be configured on that interface. You'd probably see the same effect if those rules would specify the internet protocol version as IPv4 only, like:
Code:
pass in quick inet proto tcp to en1 port { 25 80 443 587 993 } keep state

First and foremost, your rules should express what you intend them to do, then you can go about optimizing your rules. Looking at your example rules, I can hardly tell what the intended purpose actually is. The port numbers in your first rule are a subset of the second, otherwise identical rule, which makes the first rule redundant. Is this machine a server with only one interface or a router with multiple interfaces?
 
Top