There is uneeded duplication in your setup. If all your box is doing is acting as a firewall, then you're modifying the states twice with modulate state. The primary use of modulate state is to re-generate the sequence numbers to protect weak hosts behind your firewall. You don't (or shouldn't) need to protect any services on your BSD fireall from that, so it's only really necessary on the external interface. At the same time, it's not like modulate state consumes massive ammounts of resources and the duplicated rules consume irrelevantly small ammounts of memory. So if you blanket-apply it, it's no huge deal.
So to answer your question, it's generally better (if you are to pick one) to apply egress (and ingress) filtering on the external interface, but there are reasons to filter on the internal interface if you are running services or have other networks on your firewall and you want to control access to it/them. This is more true if it's more than just you on the inside of your firewall, but other users. -- Cheers, Christopher Hylarides > Is it better to apply egress filtering rules on the internal interface > of the firewall or the external interface? > > A snippet of my rules look like this right now: > (I'm filtering on both interfaces) > > pass in quick on $int_if inet proto tcp from $int_if:network to any port > $tcp_ports modulate state > pass in quick on $int_if inet proto udp from $int_if:network to any port > $udp_ports keep state > pass in quick on $int_if inet proto icmp all keep state > > pass out quick on $ext_if inet proto tcp from $ext_if to any port > $tcp_ports modulate state > pass out quick on $ext_if inet proto udp from $ext_if to any port > $udp_ports keep state > pass out quick on $ext_if inet proto icmp from $ext_if to any keep state > > Also, by doing this, am I creating duplicate state tables? Is this a bad > thing?
