Is it better to apply egress filtering rules on the internal interface
of the firewall or the external interface?
A snippet of my rules look like this right now:
(I'm filtering on both interfaces)
pass in quick on $int_if inet proto tcp from $int_if:network to any port
$tcp_ports modulate state
pass in quick on $int_if inet proto udp from $int_if:network to any port
$udp_ports keep state
pass in quick on $int_if inet proto icmp all keep state
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$tcp_ports modulate state
pass out quick on $ext_if inet proto udp from $ext_if to any port
$udp_ports keep state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state
Also, by doing this, am I creating duplicate state tables? Is this a bad
thing?
