PF IN and OUT keywords in filter rules

[double]

Hi!

I can't fully understand when(how to) use packet direction in filter rules.
Found on this forum phrase: "...If the interface receives a packet, it is incoming. If the interface sends out a packet on to the network, it is outgoing..." (c)tommiie, but still have questions.

I'll try to write how I understand packet flow(correct me please if I wrong):

Packet addressed directly to any of router's IP addresses always IN.

NAT specific flow is:
1) IN on Internal IF.
2) OUT on External IF.
reply
1)IN on External IF.
2)OUT on Internal IF.

Routing between networks is:
1) IN on src:network IF.
2) OUT on dst:network IF.

Is there any other scenarios that I missed?
In most cases routed/NATed packet flow through PF twice?

 

[SirDice]

In most cases routed/NATed packet flow through PF twice?

When there's more than one interface, yes. It passes through each interface and each interface has its own rules.

 

[double]

It passes through each interface

I hope there is no way that packet NATed outside goes: IN on internal IF, then OUT on internal IF, then IN on external IF then OUT on external IF.
Is there any documentation or colorfull diagramm for dummies about packet flows in FreeBSD especially in PF(route-to) case.

 

[SirDice]

I hope there is no way that packet NATed outside goes: IN on internal IF, then OUT on internal IF, then IN on external IF then OUT on external IF.

NAT doesn't work on incoming packets, only on outgoing. For incoming packets you use rdr.

NAT = source address translation
Redirection = destination address translation.

And:

     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.

 

[double]

@SirDice
Sorry, bad example.
If packet flows from IF1 to IF2 without translation, just routing.
Logically(as I think) this packet hits PF twice(once per IF), but if it goes IN and OUT on each IF? I can't find answer in FreeBSD handbook and hoped that maybe some one share their wisdom or give some links to read.

 

[SirDice]

I can't find answer in FreeBSD handbook and hoped that maybe some one share their wisdom or give some links to read.

You should read pf(4) and pf.conf(5).

 

[double]

You should read pf(4) and pf.conf(5).

I even readed https://man.openbsd.org/pf.conf and still can not find specific information about packet flows in *BSD OS.
Correct me if I wrong, but I think that routing (placing packets from one IF to another) made by OS network subsystem but not by firewall part.

 

[SirDice]

A firewall is not a router. With regards to FreeBSD, it's the OS that does the routing.

 

[double]

A firewall is not a router. With regards to FreeBSD, it's the OS that does the routing.

Yeah, that's my point.
I think I better make testing stand and try to figure out about it by myself.
Anyways thank you for your time.