"In" and "out" reversed on floating rule

bigguy_

I needed to put some outbound blocking rules in as floating rules and once I did that none of the interface pass rules worked any more so I had to convert everything to floating rules.

When I converted the default allow LAN to any rule to a floating rule things got weird.

I set it up as pass ipv4 tcp/udp from LAN net to any.
At first I set it up with a direction "out" since the traffic enters the LAN interface and I want to allow it to go out the WAN and create an entry in the state table so replies and only replies will pass in.

That didn't work. I did a traffic capture and saw traffic entering the LAN but not making it out to the WAN interface even. After I switched the direction from "out" to "in" now traffic is passed both ways but it leaves me a little uneasy. Are "out" and "in" simply reversed or did I just open up the entire LAN to the internet?

Here is how it looks in raw pf format:
Pass in quick on em1 inet proto tcp from 192.168.1.1/24 to any flags S/SA keep state label "USER RULE: Outbound LAN"

Pass in quick on em1 inet proto udp from 192.168.1.1/24 to any flags S/SA keep state label "USER RULE: Outbound LAN

viragomann

@bigguy_:

I needed to put some outbound blocking rules in as floating rules and once I did that none of the interface pass rules worked any more so I had to convert everything to floating rules.

So you obviously did something wrong.

If you want to control outbound traffic on LAN interface by a floating rule, you have to select the LAN interface and the direction "in", cause the traffic you try to control comes on the LAN interface.
With floating rules you can do the same on the WAN interface, but then you have to select the direction "out", cause on WAN the packets go out.

bigguy_

So let me make sure I understand you. "In" and "out" mean different things depending on the interface. On a LAN "in" means packets exiting the interface and "out" means packets entering the interface. WAN is just the opposite. Right? So what about OPT?

Derelict

No. In means in and out means out.

From the perspective of LAN, in is upload and out is download.

From the perspective of WAN, in is download, out is upload.

This only time this is not true is when you are dealing with floating rules on interfaces in the outbound direction. In that case, when you are setting limiters, in is out and out is in.

Clear?

bigguy_

Yeah clear as mud but I think I get it enough to work with it. I just wish it was in the documentation. So which pattern does an OPT interface follow? I have mine set as a gateway so I guess that makes it outbound.

Derelict

Well, the direction is always relative to that interface. What can flip it is a floating rule in the out direction.  WANs generally have more inbound than outbound traffic. LANs generally have more outbound than inbound traffic. But…it depends.

kpa

"In" is always traffic entering an interface from the connected network, "out" is always traffic leaving an interface to the connected network. This doesn't change in floating rules and you can verify it by looking at the raw PF rules generated by the floating rules, for example a block floating rule on WAN that is set to apply to the "out" direction will show "block out" in the raw PF rule which means it appies in the "out" direction of the interface.