Rule equivalence of pf uRPF check

Maxim Khitrov mkhitrov at
Sat Sep 12 12:50:09 UTC 2009

Hello all,

I sent this message to -pf list, but no one answered. I would like to
verify my assumptions regarding the way pf's uRPF check works. I'm
using a Soekris net5501 board as a firewall; port 0 ($ext_if) is
internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if) are separate
lan segments that should not be communicating with one another. Here
is the start of my filter section:

# Block all traffic by default
block log

# Broadcast DHCP traffic must be passed before urpf check
pass in quick on !$ext_if proto udp from port dhcpc to \ port dhcps

# Enable source address spoofing protection
block in quick from urpf-failed

The question I have is whether the urpf-failed check is equivalent to
the following three rules for each of the interfaces (I'm using
$int_if as an example here):

block in quick on $int_if from !$int_if:network
block in quick on !$int_if from $int_if:network
block in quick from $int_if

The OpenBSD pf faq states that urpf-check is equivalent to the
antispoof rules, but the antispoof section lists only the last two
rules in my example as being equivalent. So the question is does urpf
imply the first rule as well?

- Max

More information about the freebsd-questions mailing list