1) The big one is what I would call the 'double state problem'.  It
seems to me that the big disadvantage of a default-deny ruleset is that
because explicit pass rules are required on all interfaces, traffic
passing through the firewall machine needs state on all interfaces.
This isn't a problem for most applications, but it seems like it would
be a memory issue for large routers.

Supposing you have the following in your pf.conf [note: all rules in my
(simplified) examples will omit the implicit 'keep state']:

---
block    all
pass     on $int_if
pass out on $ext_if
pass in  on $ext_if from any to $ext_if port 22
---

If you now initiate a web connection from a machine on the internal
network to one on the internet, two states are created, one on each
interface, to allow return packets through.

The same problem, less obviously, occurs with a default-deny-in ruleset
like:
---
block in  all
pass  out all
pass  in  on $int_if
pass  in  on $ext_if from any to $ext_if port 22
---
or even with rules like
pass from $int_if:network to $ext_if:network

If you have
---
block    all
pass     on $int_if no state
pass out on $ext_if
pass in  on $ext_if from any to $ext_if port 22
---
then the ruleset is effectively the same, and there is only one state
per connection, but traffic is (slightly) slower because return traffic
through $int_if needs to be checked against the ruleset instead of the
state table.

But if you create a default-permit ruleset with wide-ranging block
rules, like:

---
block in on $ext_if
pass  in on $ext_if from any to $ext_if port 22
---

you get the same filtering results with fewer rules, one state per
connection, and no need for ruleset lookups on established streams.

The most obvious benefit of a default-deny ruleset is that it saves you
if you make a block rule too narrow, or comment it out by accident or
something.  But is there a way to have only one state per connection
with a default-deny ruleset?  And if not, does it ever actually matter,
or am I just being pedantic?

2) The other (shorter) question:
If I want one of my internal networks to be able to access the internet,
but not be able to access my other internal networks, is

---
table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 }
block   all
pass in on $int_net3 from any to <non_local>
[etc]
---

better or worse in speed and resources than

---
block all
pass  in on $int_net3
block in on $int_net3 from any to $int_net1:network
block in on $int_net3 from any to $int_net2:network
[etc]
---

?

Any enlightenment from the pf gurus?
Thanks.

PS: please cc me on replies; I can't seem to get the list server to
accept my subscribe requests.  It bounces them as spam. (!?)

 But is there a way to have only one state per connection

set state-policy if-bound|floating

Whether it matters or not depends on your application.  It surely
can matter, e.g. with muti-homed hosts where replies may come in
an interface other than the one out which the request was sent.
OTOH if you're gatewaying multiple very different networks you may want
things locked down tightly with state bound to the interfaces
because there's no way such traffic should be allowed.

Regards,

Karl <k...@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

On 2009/09/12 21:25, Karl O. Pinc wrote:

pass in to {0.0.0.0/0 !$int_net1 !$int_net2}

which expands to three rules,

pass in to 0.0.0.0/0
pass in to !$int_net1
pass in to !$int_net2

you want default deny and double states... really. not bored enough to
write that down again tho.

and if you don't like the double states you can still set skip on one
of the interfaces. but understand the consequences.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam