pf beginner questions (Re: IN/OUT)

[thegadgetman]

Maybe someone can explain to me how these rule works, especially IN/OUT and how they should be used with the FROM/TO. I am in school on a coop and we are going over our pf rule set and I don't understand the DMZ rules. So we a have DMZ with a DMZ interface which has a public IP address. An SSH server is in the DMZ with a public IP as well.

Our current config:

## ssh server
pass out log quick on $dmz_if inet proto tcp from any to $ssh1 port ssh label "SSH1"
pass in log quick inet proto tcp from any to $ssh1 port ssh label "SSH1"

The way I think it should be written:

## ssh server
pass out log quick on $dmz_if inet proto tcp [B]from $ssh1 to any[/B] port ssh label "SSH1"
pass in log quick inet proto tcp from any to $ssh1 port ssh label "SSH1"

Any one have any thoughts on this?

thanks.

 

[bbzz]

In and Out refer to direction of packet flow. From and To refer to source and destination IP address in IP header. pf is a stateful firewall, meaning it keeps record of established connections. You only need allow access to ssh server, and reverse will be permitted.

 

[Lorem-Ipsum]

I recommend reading: The Book of PF - second edition. If I read correctly there is a free ebook version.

I found it very useful.

 

[gkontos]

You can also have a look at a very simple yet effective guide on how to creating an effective ruleset:

Link: http://www.aisecure.net/2012/01/15/securing_pf1/

 

[vand777]

PF: The OpenBSD Packet Filter

 

[DutchDaemon]

This is not some homework assignment we are doing for you, is it?

 

[thegadgetman]

Haha no it's not homework and is more like extra curricular work. Basically me understanding how pf works doesn't play any role in me passing my classes. Good one though.

I've read through PF: The OpenBSD Packet Filter as mentioned. The book looks really interesting and I am going to get to that soon. For the time being I am just trying to wrap my head around how who the IN/OUT is relative to. I think bbzz has put me on the right track with his description of how it works from the kernel so IN/OUT decisions would be made from the kernels perspective. So IN would be data coming from interface and OUT would be data going to the interface. Unless I am wrong in that thinking some please correct or forever let this be the way everyone thinks pf works.

Thanks.

 

[DutchDaemon]

Just imagine you're sitting inside your server. There are network interfaces to the left and the right of you. What comes in is IN, what goes out is OUT, whichever interface it's on.

 

[thegadgetman]

Just imagine you're sitting inside your server. There are network interfaces to the left and the right of you. What comes in is IN, what goes out is OUT, whichever interface it's on.

Perfect this was exactly what I was looking for, i just couldn't articulate my question well enough. Thanks so much.