Rule equivalence of pf uRPF check
Maxim Khitrov
mkhitrov at gmail.com
Sat Sep 12 21:54:00 UTC 2009
On Sat, Sep 12, 2009 at 9:10 AM, Matthew
Seaman<m.seaman at infracaninophile.co.uk> wrote:
> Maxim Khitrov wrote:
>
>> block in quick on $int_if from !$int_if:network
>> block in quick on !$int_if from $int_if:network
>> block in quick from $int_if
>>
>> The OpenBSD pf faq states that urpf-check is equivalent to the
>> antispoof rules, but the antispoof section lists only the last two
>> rules in my example as being equivalent. So the question is does urpf
>> imply the first rule as well?
>
> Not if uRPF is intended as a general mechanism. What would happen if
> you applied that on $ext_if (the external interface you connect to the rest
> of
> the internet with)? It's perfectly valid for packets from other than
> directly
> attached networks to be passed by your firewall -- not doing that would, in
> fact,
> completely negate your web browsing experience...
>
> Cheers,
>
> Matthew
Right, I should have mentioned that I'm only talking about internal
interfaces that serve separate 10.x/16 networks. My $int_if network is
10.0/16 and it is not the default route. Under those conditions, would
the urpf check block any traffic coming in on $int_if that doesn't
come from 10.0/16 network? If not, can you give me an example of what
would be allowed?
One other related question. Would urpf block a packet arriving on any
physical interface that has a source IP of 127.0.0.1 or any other IP
assigned to the firewall itself?
- Max
More information about the freebsd-questions
mailing list