On Friday, May 21, 2021 8:22 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> quoting pf.conf(5):
> " The antispoof directive expands to a set of filter rules which will block
> all traffic with a source IP from the network(s) directly connected to
> the specified interface(s) from entering the system through any other
> interface."
> This means essentially that the sample rules would fail to be effective
> only if the interface you antispoof for has switched networks. I think
> that is a relatively rare event for running firewalls and not doing a ruleset
> reload.

I'm still struggling with understanding why it works, please bear with

Let's say I'm assigned dynamic IP address from my ISP on
external interface em0.

  antispoof em0 inet

Expands to:

  block drop in on ! em0 inet from to any
  block drop in inet from to any

At some point when the IP lease is renewed, the ISP has assigned an
address from another block e.g. I would now think that
the block rules created by antispoof are obsolete as they are not
updated with the new address, but why should it still work without
interface name in parentheses?


Mogens Jensen

Reply via email to