View Single Post
  #6   (View Single Post)  
Old 13th August 2012
nekoneko nekoneko is offline
New User
 
Join Date: Aug 2012
Posts: 3
Default

Sorry, I probably didn't use very clear terminology. By listening, I meant listening and potentially accepting connections on running services.

For example, if I were setting up a router using iptables, I would configure the INPUT chain to drop all incoming connections, then set the POSTROUTING chain to do NAT between the private and Internet interfaces. Thus, the router would not accept connections on any port, even if there was a service running (e.g. httpd).

However, what I've gathered so far is that I can't do this with pf. If I want to use NAT to give Internet access to hosts on my internal network, I also need to expose any service that might be running on the router to the internal network.

I'm more concerned about this from a security perspective (best practices - no need to potentially expose services that I'm not using), not performance.

If this is the case and it's how pf works then that's fine - I just want to be clear that this is how it's intended to work, and there's not some setting that I'm missing.

Thanks
Reply With Quote