On Wed, Mar 03, 2004 at 09:24:41PM +1100, Damian McGuckin wrote:
> What is the difference between the 2 block'ing rules below
>
> ... table <garbage> { 127/8, 10/8, 172.16/12, 192.168/16, 255.255.255.255/32 }
>
> ... block in log quick on $exIF from no-route to any
> ... block in log quick on $exIF from <garbage> to any
>
> i.e. what does no-route expand to.
They are very different, no-route doesn't expand at all, but is
evaluated at run-time, matching addresses which the pf box doesn't have
routes to at the time of evaluation.
If your pf box has a default route configured, no-route is useless, as
you have a route to any address (through that default gateway). It only
makes sense on hosts without a default route. And there's no relation to
'unroutable' addresses like 192.168/16 or 10/8 at all, your host may
very well have routes to such networks.
On hosts without a default route, however, no-route can be used for
antispoof-like constructs. For instance, you might want to block
incoming packets from sources that you can't reply to, due to a lacking
route. No matter whether they be reserved addresses like 10/8 or not.
Daniel
