Hi,
thanks for giving a little extra advice on the anti-spoofing topic.
Maybe you can tell me if thats still neccessary in my scenario.
My $ext_if is a vlan interface connected to a ProCurve switch from where
i assign one port as tagged (thats the port where the OpenBSD machine is
connected to.)
and one untagged port which goes to the router.
My router is responsible for dialing the actual connection to my ISP so
my OpenBSD box is already behind the NAT firewall of my router.
In OpenBSD i then use Unbound as a caching nameserver which forwards any
dns queries to the DNS Servers of my ISP.
Of course i could set up PPPoE on OpenBsd directly but i thought letting
the router handle it might be the better approach.
Does antispoofing on $ext_if still makes sense for me?
Regards
Dennis
Am 13.05.2015 um 17:37 schrieb Karl O. Pinc:
On Wed, 13 May 2015 00:36:54 +0200
Dennis Steinkamp <[email protected]> wrote:
1.) block all
2.) set skip on lo
3.) match out on egress inet from $int_net nat-to egress
4.) pass in on $int_if from $int_net to *any*
5.) pass out on $ext_if from $ext_if to any
It is also good practice to block spoofing
attacks, both from without and from anyone
within your own networks.
antispoof $int_if
antispoof $ext_if
block in on $int_if from !$int_net to any
There's an rfc for this but I don't recall the number.
Karl <[email protected]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
