On Fri, May 21, 2021 at 05:32:32AM +0000, Mogens Jensen wrote:
> The antispoof directive will expand to two block rules with IP address
> of the interface, so I would think that with a dynamic IP, the interface
> should be surrounded in parentheses like this:
> antispoof for (wi0)

quoting pf.conf(5):

"    The antispoof directive expands to a set of filter rules which will block
     all traffic with a source IP from the network(s) directly connected to
     the specified interface(s) from entering the system through any other

This means essentially that the sample rules would fail to be effective 
only if the interface you antispoof for has switched networks.  I think
that is a relatively rare event for running firewalls and not doing a ruleset

> ===
> The simplest mechanism to block everything by default and only pass
> packets that match explicit rules is specify a first filter rule of:
>     block all
> ===
> Is it not even simpler to just specify the filter rule as block without
> all, they seem to expand identical?

You're right, they expand to the exact same thing:

[Fri May 21 10:19:50] peter@zelda:~$ cat blockonly
[Fri May 21 10:19:57] peter@zelda:~$ cat blockall
block all
[Fri May 21 10:20:01] peter@zelda:~$ doas pfctl -vnf blockall 
block drop all
[Fri May 21 10:20:11] peter@zelda:~$ doas pfctl -vnf blockonly
block drop all

(also see eg http://home.nuug.no/~peter/pf/newest/simplest-secure.html)

Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: disconnected after 42673 seconds.

Reply via email to