On Apr 11, 2005 4:07 PM, William Ross <[EMAIL PROTECTED]> wrote:
> In my rules section, if I have a first rule such that
>
> block on (external interface) all;
>
> Would that not make any following rules about
> spoofing and blocking rfc1918 nets redundant?
>
I should of thought so, given that pf will block the packet(s) if it
cannot find a matching pass rule. There is also the antispoof rule
which would aid in blocking spoofed packets, see pf.conf(5) under the
heading "BLOCKING SPOOFED TRAFFIC".
I have a table which contains the RFC1918 address plus a few others
like 127.0..0.1/8, 255.255.255.255/32, 0.0.0.0/32 going by my pfctl
-vvvsT:
-pa--- Reserved
Addresses: 0
Cleared: Mon Apr 11 02:40:01 2005
References: [ Anchors: 0 Rules: 0 ]
Evaluations: [ NoMatch: 0 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
hasn't really done anthing? so, if your pass rules are "correct" as to
what traffic you are allowing in/out from your external interface you
should not really need a spoofing rule(s), although in reality it is
probably better to be safe then sorry? how paranoid you are?
probably someone will say otherwise.
Kimi
--
spamassassinexception