Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 12 Sep 2009 14:10:20 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Maxim Khitrov <mkhitrov@gmail.com>
Cc:        Free BSD Questions list <freebsd-questions@freebsd.org>
Subject:   Re: Rule equivalence of pf uRPF check
Message-ID:  <4AAB9DBC.50007@infracaninophile.co.uk>
In-Reply-To: <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com>
References:  <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig147C454F3B85CE96BC8AE59F
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Maxim Khitrov wrote:

> block in quick on $int_if from !$int_if:network
> block in quick on !$int_if from $int_if:network
> block in quick from $int_if
>=20
> The OpenBSD pf faq states that urpf-check is equivalent to the
> antispoof rules, but the antispoof section lists only the last two
> rules in my example as being equivalent. So the question is does urpf
> imply the first rule as well?

Not if uRPF is intended as a general mechanism.  What would happen if
you applied that on $ext_if (the external interface you connect to the re=
st of
the internet with)?  It's perfectly valid for packets from other than dir=
ectly
attached networks to be passed by your firewall -- not doing that would, =
in fact,
completely negate your web browsing experience...

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig147C454F3B85CE96BC8AE59F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkqrnbwACgkQ8Mjk52CukIxQWwCfVikOuHY3MR1748HETwZ+PcWK
SusAoIEIJ4k/B+u5X6ERasb6TZ2TG0nO
=Ybi2
-----END PGP SIGNATURE-----

--------------enig147C454F3B85CE96BC8AE59F--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AAB9DBC.50007>