On Sat, Sep 12, 2009 at 9:10 AM, Matthew Seaman<[email protected]> wrote: > Maxim Khitrov wrote: > >> block in quick on $int_if from !$int_if:network >> block in quick on !$int_if from $int_if:network >> block in quick from $int_if >> >> The OpenBSD pf faq states that urpf-check is equivalent to the >> antispoof rules, but the antispoof section lists only the last two >> rules in my example as being equivalent. So the question is does urpf >> imply the first rule as well? > > Not if uRPF is intended as a general mechanism. What would happen if > you applied that on $ext_if (the external interface you connect to the rest > of > the internet with)? It's perfectly valid for packets from other than > directly > attached networks to be passed by your firewall -- not doing that would, in > fact, > completely negate your web browsing experience... > > Cheers, > > Matthew
Right, I should have mentioned that I'm only talking about internal interfaces that serve separate 10.x/16 networks. My $int_if network is 10.0/16 and it is not the default route. Under those conditions, would the urpf check block any traffic coming in on $int_if that doesn't come from 10.0/16 network? If not, can you give me an example of what would be allowed? One other related question. Would urpf block a packet arriving on any physical interface that has a source IP of 127.0.0.1 or any other IP assigned to the firewall itself? - Max _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
