Rule equivalence of pf uRPF check

Maxim Khitrov mkhitrov at
Sat Sep 12 21:54:00 UTC 2009

On Sat, Sep 12, 2009 at 9:10 AM, Matthew
Seaman<m.seaman at> wrote:
> Maxim Khitrov wrote:
>> block in quick on $int_if from !$int_if:network
>> block in quick on !$int_if from $int_if:network
>> block in quick from $int_if
>> The OpenBSD pf faq states that urpf-check is equivalent to the
>> antispoof rules, but the antispoof section lists only the last two
>> rules in my example as being equivalent. So the question is does urpf
>> imply the first rule as well?
> Not if uRPF is intended as a general mechanism.  What would happen if
> you applied that on $ext_if (the external interface you connect to the rest
> of
> the internet with)?  It's perfectly valid for packets from other than
> directly
> attached networks to be passed by your firewall -- not doing that would, in
> fact,
> completely negate your web browsing experience...
>        Cheers,
>        Matthew

Right, I should have mentioned that I'm only talking about internal
interfaces that serve separate 10.x/16 networks. My $int_if network is
10.0/16 and it is not the default route. Under those conditions, would
the urpf check block any traffic coming in on $int_if that doesn't
come from 10.0/16 network? If not, can you give me an example of what
would be allowed?

One other related question. Would urpf block a packet arriving on any
physical interface that has a source IP of or any other IP
assigned to the firewall itself?

- Max

More information about the freebsd-questions mailing list