This is by no meant to PF hardcorer but for people who new to PF. When writing PF filter rules, new comers tend to confuse the direction of IN and OUT. The IN and OUT keywords in the syntax actually is not indicating the direction of network flow coming into or getting out from your network. IN actually means the network flow that coming into your PF enabled NIC and Out means the network flow that either orignated from the PF enabled NIC or network flow that flowing out from the PF enabled NIC. The picture below illustrates the IN and OUT, the green arrows indicate the network flow.
To further understand what it means, here I try to show three rules and assuming 192.168.5.100 has NIC with variable pcn0. The first rule allows the incoming traffics from 192.168.5.0/24 to 192.168.5.100 on interface pcn0.
pass in on pcn0 proto tcp from 192.168.5.0/24 to 192.168.5.100
This second rule is blocking the network flow from 192.168.5.0/24 to reach 192.168.5.100
block in on pcn0 proto tcp from 192.168.5.0/24 to 192.168.5.100
However if you apply this rule, you can still reach 192.168.5.100 however there's no response from 192.168.5.100.
block out on pcn0 proto tcp from 192.168.5.0/24 to 192.168.0.100
Hereby I put another picutre so that you have clear view of what have been mentioned above.
To further understand what it means, here I try to show three rules and assuming 192.168.5.100 has NIC with variable pcn0. The first rule allows the incoming traffics from 192.168.5.0/24 to 192.168.5.100 on interface pcn0.
pass in on pcn0 proto tcp from 192.168.5.0/24 to 192.168.5.100
This second rule is blocking the network flow from 192.168.5.0/24 to reach 192.168.5.100
block in on pcn0 proto tcp from 192.168.5.0/24 to 192.168.5.100
However if you apply this rule, you can still reach 192.168.5.100 however there's no response from 192.168.5.100.
block out on pcn0 proto tcp from 192.168.5.0/24 to 192.168.0.100
Hereby I put another picutre so that you have clear view of what have been mentioned above.
Peace (:])
3 comments:
nice illustration. I wish I have a openbsd laying around to test these rules. BTW, What do you mean by "can reach but no reponse" ?
Sorry but I don't like the illustrations, I think that a better way to understand this is if you graph both interfaces with the traffic flow.
@mohd jeffry: since the rule is a 'block out', the interface can receive the incoming traffic but can't send, thus no response will be received.
anonymous,
It's not considered both interfaces box but single interface box, and it's either going into the interface and going out from the interface, I get what you mean and I would like to improve the graph if I have more time on it, another reason why I avoid showing two interfaces box would be it may get complicated and I just want it to be simple as I stated in the first line. Thanks anyway and will improve my illustration skill next time which is not always my main priority but I think it helps.
Post a Comment