Maxim Khitrov wrote:

block in quick on $int_if from !$int_if:network
block in quick on !$int_if from $int_if:network
block in quick from $int_if

The OpenBSD pf faq states that urpf-check is equivalent to the
antispoof rules, but the antispoof section lists only the last two
rules in my example as being equivalent. So the question is does urpf
imply the first rule as well?

Not if uRPF is intended as a general mechanism.  What would happen if
you applied that on $ext_if (the external interface you connect to the rest of
the internet with)?  It's perfectly valid for packets from other than directly
attached networks to be passed by your firewall -- not doing that would, in 
completely negate your web browsing experience...



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP:     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to