Maxim Khitrov wrote:
block in quick on $int_if from !$int_if:network block in quick on !$int_if from $int_if:network block in quick from $int_ifThe OpenBSD pf faq states that urpf-check is equivalent to the antispoof rules, but the antispoof section lists only the last two rules in my example as being equivalent. So the question is does urpf imply the first rule as well?
Not if uRPF is intended as a general mechanism. What would happen if you applied that on $ext_if (the external interface you connect to the rest of the internet with)? It's perfectly valid for packets from other than directly attached networks to be passed by your firewall -- not doing that would, in fact, completely negate your web browsing experience... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature