2. What specific rules would you recommend for preventing spoofed

people spend too much time on this. make sure nobody spoofs your own
IPs (or, more precise, any IP you do access control with) and be done
with it. really, spoofing has to be fought at the source, you can't
layer. so you want to make sure only packets with your own IPs as src
leave your network.

Thanks for the insight.

I found a pf ruleset that does this (but not fighting at the source; it still allows spoofed packets to be sent _out_).

  set skip on lo
  ext_if = "em0"
  antispoof quick for $ext_if

The antispoof expands to this:

  block drop in quick on ! em0 inet from to any
  block drop in quick inet from to any

Reply via email to