2. What specific rules would you recommend for preventing spoofed
people spend too much time on this. make sure nobody spoofs your own
IPs (or, more precise, any IP you do access control with) and be done
with it. really, spoofing has to be fought at the source, you can't
layer. so you want to make sure only packets with your own IPs as src
leave your network.
Thanks for the insight.
I found a pf ruleset that does this (but not fighting at the source; it
still allows spoofed packets to be sent _out_).
set skip on lo
ext_if = "em0"
antispoof quick for $ext_if
The antispoof expands to this:
block drop in quick on ! em0 inet from 220.127.116.11/24 to any
block drop in quick inet from 18.104.22.168 to any