# pf beginner questions (Re: IN/OUT)



## thegadgetman (Feb 23, 2012)

Maybe someone can explain to me how these rule works, especially IN/OUT and how they should be used with the FROM/TO. I am in school on a coop and we are going over our pf rule set and I don't understand the DMZ rules. So we a have DMZ with a DMZ interface which has a public IP address. An SSH server is in the DMZ with a public IP as well.

Our current config: 


```
## ssh server
pass out log quick on $dmz_if inet proto tcp from any to $ssh1 port ssh label "SSH1"
pass in log quick inet proto tcp from any to $ssh1 port ssh label "SSH1"
```

The way I think it should be written: 

```
## ssh server
pass out log quick on $dmz_if inet proto tcp [B]from $ssh1 to any[/B] port ssh label "SSH1"
pass in log quick inet proto tcp from any to $ssh1 port ssh label "SSH1"
```

Any one have any thoughts on this?

thanks.


----------



## bbzz (Feb 23, 2012)

In and Out refer to direction of packet flow. From and To refer to source and destination IP address in IP header. *pf* is a stateful firewall, meaning it keeps record of established connections. You only need allow access to ssh server, and reverse will be permitted.


----------



## Lorem-Ipsum (Feb 23, 2012)

I recommend reading: The Book of PF - second edition. If I read correctly there is a free ebook version.

I found it very useful.


----------



## gkontos (Feb 23, 2012)

You can also have a look at a very simple yet effective guide on how to creating an effective ruleset:

Link: http://www.aisecure.net/2012/01/15/securing_pf1/


----------



## vand777 (Feb 23, 2012)

PF: The OpenBSD Packet Filter


----------



## DutchDaemon (Feb 23, 2012)

This is not some homework assignment we are doing for you, is it?


----------



## thegadgetman (Feb 24, 2012)

Haha no it's not homework and is more like extra curricular work. Basically me understanding how pf works doesn't play any role in me passing my classes. Good one though. 

I've read through PF: The OpenBSD Packet Filter as mentioned. The book looks really interesting and I am going to get to that soon. For the time being I am just trying to wrap my head around how who the IN/OUT is relative to. I think bbzz has put me on the right track with his description of how it works from the kernel so IN/OUT decisions would be made from the kernels perspective. So IN would be data coming from interface and OUT would be data going to the interface. Unless I am wrong in that thinking some please correct or forever let this be the way everyone thinks pf works.

Thanks.


----------



## DutchDaemon (Feb 24, 2012)

Just imagine you're sitting *inside* your server. There are network interfaces to the left and the right of you. What comes in is IN, what goes out is OUT, whichever interface it's on.


----------



## thegadgetman (Feb 24, 2012)

DutchDaemon said:
			
		

> Just imagine you're sitting *inside* your server. There are network interfaces to the left and the right of you. What comes in is IN, what goes out is OUT, whichever interface it's on.



Perfect this was exactly what I was looking for, i just couldn't articulate my question well enough. Thanks so much.


----------

