View Single Post
  #5   (View Single Post)  
Old 13th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,911

So does that mean that I would need to specifically open port 80, 443, etc on em0 to allow traffic to get out to the Internet? This is what I don't really want to do - I'd rather not have the router unnecessarily listening on all those ports.
PF does not know which of your NICs connects you to the Internet, nor which is your private network. It only knows the filtering rules you set for each NIC.
  • These rules either pass or block, and may be bidirectional or for inbound or outbound traffic.
  • Inbound rules affect traffic coming in to the gateway. In this case, you have two rules that affect unsolicited inbound traffic: your first rule blocks all inbound traffic of all kinds, and then you have a pass which only permits inbound access to the gateway for ssh traffic from the em0 NIC. Your third rule, the pass out rule (when it applies), will permit return traffic inbound for active TCP sessions ("keep state" is the default).
PF is active. Your router is already "listening" to all traffic on all NICs, making decisions based upon your PF rules to pass or block. PF runs in the kernel, there is little performance impact to adding additional pass rules. There will be some memory used for state tables. The default maximum is for 10,000 state table entries -- that's 10,000 active sessions.
Reply With Quote