Hello,
Sorry if the title is confusing. My question is when configuring pf I discovered two ways to achieve routing my traffic through my FreeBSD router using pf.
The first rule set is as follows.
Second
I revised the second ruleset based mostly on information from the handbooks firewall section if I remember right.
The main difference I observed between the two is that in the first one return traffic seems to cause more evaluations of the ruleset which from what I've read is slower then a state table lookup. vs The second ruleset where I have double the states for inbound lan and outbound wan traffic but I have lower ruleset evaluations according to pfctl -vsr.
Both rulesets achieve what I want to accomplish allowing all lan traffic outbound to the internet but blocking all inbound connections to the wan interface that don't have state. It just seems that having state on both sides is more efficient even though I have double the states in the state table.
Are both rulesets ok so long as they filter my traffic correctly or is it bad practice to not keep state on both inbound lan traffic and outbound wan traffic.
Thank you for your time.
Sorry if the title is confusing. My question is when configuring pf I discovered two ways to achieve routing my traffic through my FreeBSD router using pf.
The first rule set is as follows.
Code:
ext_if="em1"
int_if="em0"
set skip on lo
set block-policy drop
nat on $ext_if from any to any -> ($ext_if)
pass out quick on $ext_if from any to any keep state
block drop in on $ext_if allSecond
Code:
ext_if="em1"
int_if="em0"
set skip on lo
set block-policy drop
nat on $ext_if from $int_if:network to any -> ($ext_if)
block drop all
pass in on $int_if from $int_if:network to any keep state
pass out on $ext_if from $int_if:network to any keep state
pass out on $ext_if from ($ext_if) to any keep stateI revised the second ruleset based mostly on information from the handbooks firewall section if I remember right.
The main difference I observed between the two is that in the first one return traffic seems to cause more evaluations of the ruleset which from what I've read is slower then a state table lookup. vs The second ruleset where I have double the states for inbound lan and outbound wan traffic but I have lower ruleset evaluations according to pfctl -vsr.
Both rulesets achieve what I want to accomplish allowing all lan traffic outbound to the internet but blocking all inbound connections to the wan interface that don't have state. It just seems that having state on both sides is more efficient even though I have double the states in the state table.
Are both rulesets ok so long as they filter my traffic correctly or is it bad practice to not keep state on both inbound lan traffic and outbound wan traffic.
Thank you for your time.