From owner-freebsd-questions@FreeBSD.ORG Sat Sep 12 12:50:09 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C42C106566B for ; Sat, 12 Sep 2009 12:50:09 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-yx0-f193.google.com (mail-yx0-f193.google.com [209.85.210.193]) by mx1.freebsd.org (Postfix) with ESMTP id F24CB8FC1B for ; Sat, 12 Sep 2009 12:50:08 +0000 (UTC) Received: by yxe31 with SMTP id 31so2369264yxe.29 for ; Sat, 12 Sep 2009 05:50:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=MBXPwaoTuaDMgSdcQ7r0/MDimujcQzd8CP0P01xkvBY=; b=bubAT6aKTcmcYih1pm/ci3FyI9CZ4rw1fGFhTn0irjmv7+5QQCey+2H6Y7zkIQS1w9 es3aFhfGXSpQTrUEZvyxhfdAa984ezRbdo7RqbPaXE4x6eLO/HJVkXLs7kBvGnj1u+Es KQv6goSLpa4UzyL3914UUlqpTGzsLc99yBXQs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=UTWAl1kb3xyzIPtFf7v6rNdKUmV/LtDL7XbO3nxFyKhfx4DQMqrm6kVbwIr4OSlI4z Y1Bb7Uq1mnG+79QeLAaA60hgtlYAS/L2sgCjWTqJrEubzuKgISY6e7uytbNmhYrPKFiP aW2fMRgEe5NxtiKCTsIKxVQ+r/LFZ6cCSbu0Y= MIME-Version: 1.0 Received: by 10.90.58.2 with SMTP id g2mr2392562aga.73.1252759808246; Sat, 12 Sep 2009 05:50:08 -0700 (PDT) From: Maxim Khitrov Date: Sat, 12 Sep 2009 08:49:48 -0400 Message-ID: <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com> To: Free BSD Questions list Content-Type: text/plain; charset=UTF-8 Subject: Rule equivalence of pf uRPF check X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 12:50:09 -0000 Hello all, I sent this message to -pf list, but no one answered. I would like to verify my assumptions regarding the way pf's uRPF check works. I'm using a Soekris net5501 board as a firewall; port 0 ($ext_if) is internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if) are separate lan segments that should not be communicating with one another. Here is the start of my filter section: # Block all traffic by default block log # Broadcast DHCP traffic must be passed before urpf check pass in quick on !$ext_if proto udp from port dhcpc to \ 255.255.255.255 port dhcps # Enable source address spoofing protection block in quick from urpf-failed The question I have is whether the urpf-failed check is equivalent to the following three rules for each of the interfaces (I'm using $int_if as an example here): block in quick on $int_if from !$int_if:network block in quick on !$int_if from $int_if:network block in quick from $int_if The OpenBSD pf faq states that urpf-check is equivalent to the antispoof rules, but the antispoof section lists only the last two rules in my example as being equivalent. So the question is does urpf imply the first rule as well? - Max