[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RESEND] pf - How to determine IN vs OUT on interface


[ *My apologies if this is a duplicate. I didn't see the fist one come into the list* ]

I recently set up a transparent bridging firewall per the guide at

I've ran into some confusion determining how to configure pf's ruleset
based on what incoming and outgoing means on my two interfaces.


Internet           Router         pf box                 LAN
               public | rfc1918   (bridge0)           (
 ,--.              +--+           +----+      switch   ,-----.
/    \             |  |           |  ==|       ._.    /  -|   \
|    | ----------- |  |-----------|    |-------| |----|   |_  |
|    |             +--+      (dc0)|   -|(tl0)  '-'    |  -|   |
'----'                            |   .|              |   |_  |
                                  |    |              \_______/

The problem I'm having is understanding which direction is considered in
or out on the interfaces; for instance, to allow all traffic to cross
the outside (dc0) interface (since I want to do all the filtering on the
internal (tl0)) I'm specifying rules such as:

   pass in on dc0 all
   pass out on dc0 all

But for in/out rules on the other interface, how would I specify the
following things?

. Not allow any packets coming from the public network into the 10. net
with rfc1918 addresses except from

. To specify outgoing tcp/udp/icmp traffic may be allowed through tl0
from my private network, do I use a pass in or pass out rule on tl0?

I guess I don't understand whether the filtering happens going in the
interface from my 10. or out the interface  to the public; in and out
seems like it can be relative to me. For instance, to block telnet
traffic from the internet to my lan, both of the following make sense to me:

   block in log on tl0 proto tcp all port 23    OR
   block out log on tl0 proto tcp all port 23

The first rule seems like "block all telnet traffic coming into tl0 from
the internet"

The second seems like "block all telnet traffic coming out of the bridge
through tl0"

This of course would be something I would want working without blocking
telnet traffic from my private network out, for instance. (Getting the rule backwards?)

Is the solution then to specify explicitly src/dst addresses? If so, how
then can the 'all' target be used?


Also related, is it possible to view all traffic passing through bridge0
by using 'tcpdump -i bridge0'? I've used this before while pinging
between  hosts on different sides of the bridge and no traffic shows up.
Any ideas?