On Sat, Sep 12, 2009 at 9:10 AM, Matthew
Seaman<m.sea...@infracaninophile.co.uk> wrote:
> Maxim Khitrov wrote:
>
>> block in quick on $int_if from !$int_if:network
>> block in quick on !$int_if from $int_if:network
>> block in quick from $int_if
>>
>> The OpenBSD pf faq states that urpf-check is equivalent to the
>> antispoof rules, but the antispoof section lists only the last two
>> rules in my example as being equivalent. So the question is does urpf
>> imply the first rule as well?
>
> Not if uRPF is intended as a general mechanism.  What would happen if
> you applied that on $ext_if (the external interface you connect to the rest
> of
> the internet with)?  It's perfectly valid for packets from other than
> directly
> attached networks to be passed by your firewall -- not doing that would, in
> fact,
> completely negate your web browsing experience...
>
>        Cheers,
>
>        Matthew

Right, I should have mentioned that I'm only talking about internal
interfaces that serve separate 10.x/16 networks. My $int_if network is
10.0/16 and it is not the default route. Under those conditions, would
the urpf check block any traffic coming in on $int_if that doesn't
come from 10.0/16 network? If not, can you give me an example of what
would be allowed?

One other related question. Would urpf block a packet arriving on any
physical interface that has a source IP of 127.0.0.1 or any other IP
assigned to the firewall itself?

- Max
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to