Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 12 Sep 2009 17:53:39 -0400
From:      Maxim Khitrov <mkhitrov@gmail.com>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        Free BSD Questions list <freebsd-questions@freebsd.org>
Subject:   Re: Rule equivalence of pf uRPF check
Message-ID:  <26ddd1750909121453t390f1ca0lb030fdd1cc6a4feb@mail.gmail.com>
In-Reply-To: <4AAB9DBC.50007@infracaninophile.co.uk>
References:  <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com>  <4AAB9DBC.50007@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Sep 12, 2009 at 9:10 AM, Matthew
Seaman<m.seaman@infracaninophile.co.uk> wrote:
> Maxim Khitrov wrote:
>
>> block in quick on $int_if from !$int_if:network
>> block in quick on !$int_if from $int_if:network
>> block in quick from $int_if
>>
>> The OpenBSD pf faq states that urpf-check is equivalent to the
>> antispoof rules, but the antispoof section lists only the last two
>> rules in my example as being equivalent. So the question is does urpf
>> imply the first rule as well?
>
> Not if uRPF is intended as a general mechanism. =C2=A0What would happen i=
f
> you applied that on $ext_if (the external interface you connect to the re=
st
> of
> the internet with)? =C2=A0It's perfectly valid for packets from other tha=
n
> directly
> attached networks to be passed by your firewall -- not doing that would, =
in
> fact,
> completely negate your web browsing experience...
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0Cheers,
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0Matthew

Right, I should have mentioned that I'm only talking about internal
interfaces that serve separate 10.x/16 networks. My $int_if network is
10.0/16 and it is not the default route. Under those conditions, would
the urpf check block any traffic coming in on $int_if that doesn't
come from 10.0/16 network? If not, can you give me an example of what
would be allowed?

One other related question. Would urpf block a packet arriving on any
physical interface that has a source IP of 127.0.0.1 or any other IP
assigned to the firewall itself?

- Max

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26ddd1750909121453t390f1ca0lb030fdd1cc6a4feb>