Re: Rule equivalence of pf uRPF check

Matthew Seaman Sat, 12 Sep 2009 06:10:45 -0700

Maxim Khitrov wrote:

block in quick on $int_if from !$int_if:network
block in quick on !$int_if from $int_if:network
block in quick from $int_if


The OpenBSD pf faq states that urpf-check is equivalent to the
antispoof rules, but the antispoof section lists only the last two
rules in my example as being equivalent. So the question is does urpf
imply the first rule as well?


Not if uRPF is intended as a general mechanism.  What would happen if
you applied that on $ext_if (the external interface you connect to the rest of
the internet with)?  It's perfectly valid for packets from other than directly
attached networks to be passed by your firewall -- not doing that would, in 
fact,
completely negate your web browsing experience...

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

signature.asc
Description: OpenPGP digital signature

Re: Rule equivalence of pf uRPF check

Reply via email to