On 2021-05-22, Mogens Jensen <mogens-jen...@protonmail.com> wrote: > On Friday, May 21, 2021 8:22 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: >> quoting pf.conf(5): >> >> " The antispoof directive expands to a set of filter rules which will block >> all traffic with a source IP from the network(s) directly connected to >> the specified interface(s) from entering the system through any other >> interface." >> >> This means essentially that the sample rules would fail to be effective >> only if the interface you antispoof for has switched networks. I think >> that is a relatively rare event for running firewalls and not doing a ruleset >> reload. > > I'm still struggling with understanding why it works, please bear with > me. > > Let's say I'm assigned dynamic IP address 192.0.2.5/24 from my ISP on > external interface em0. > > antispoof em0 inet > > Expands to: > > block drop in on ! em0 inet from 192.0.2.0/24 to any > block drop in inet from 192.0.2.5 to any > > At some point when the IP lease is renewed, the ISP has assigned an > address from another block e.g. 203.0.113.21/24. I would now think that > the block rules created by antispoof are obsolete as they are not > updated with the new address, but why should it still work without > interface name in parentheses? > > Thanks. > > Mogens Jensen > >
"egress" is not really useful with antispoof anyway. antispoof generates a set of rules to block packets with local network addresses coming in on an unexpected interface (either the wrong internal interface, or an external interface). It does not generate rules to stop someone on an internal network sending packets from another invalid address. For example even listing all network interfaces in antispoof rules, someone on an internal network can still send traffic with a source address of (e.g.) 220.127.116.11. To prevent that you'll need "block by default / allow specific source" rules like "pass in on em0 from em0:network" (etc, for each interface), or "block in from urpf-failed" (which does a dynamic route lookup; simpler config but slightly higher per-connection overhead).