Rule equivalence of pf uRPF check
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sat Sep 12 13:10:26 UTC 2009
Maxim Khitrov wrote:
> block in quick on $int_if from !$int_if:network
> block in quick on !$int_if from $int_if:network
> block in quick from $int_if
>
> The OpenBSD pf faq states that urpf-check is equivalent to the
> antispoof rules, but the antispoof section lists only the last two
> rules in my example as being equivalent. So the question is does urpf
> imply the first rule as well?
Not if uRPF is intended as a general mechanism. What would happen if
you applied that on $ext_if (the external interface you connect to the rest of
the internet with)? It's perfectly valid for packets from other than directly
attached networks to be passed by your firewall -- not doing that would, in fact,
completely negate your web browsing experience...
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090912/aa7a405b/signature.pgp
More information about the freebsd-questions
mailing list