On Fri, May 21, 2021 at 05:32:32AM +0000, Mogens Jensen wrote: > The antispoof directive will expand to two block rules with IP address > of the interface, so I would think that with a dynamic IP, the interface > should be surrounded in parentheses like this: > > antispoof for (wi0)
quoting pf.conf(5): " The antispoof directive expands to a set of filter rules which will block all traffic with a source IP from the network(s) directly connected to the specified interface(s) from entering the system through any other interface." This means essentially that the sample rules would fail to be effective only if the interface you antispoof for has switched networks. I think that is a relatively rare event for running firewalls and not doing a ruleset reload. > === > The simplest mechanism to block everything by default and only pass > packets that match explicit rules is specify a first filter rule of: > > block all > === > > Is it not even simpler to just specify the filter rule as block without > all, they seem to expand identical? You're right, they expand to the exact same thing: [Fri May 21 10:19:50] peter@zelda:~$ cat blockonly block [Fri May 21 10:19:57] peter@zelda:~$ cat blockall block all [Fri May 21 10:20:01] peter@zelda:~$ doas pfctl -vnf blockall block drop all [Fri May 21 10:20:11] peter@zelda:~$ doas pfctl -vnf blockonly block drop all (also see eg http://home.nuug.no/~peter/pf/newest/simplest-secure.html) Cheers, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd: 22.214.171.124: disconnected after 42673 seconds.