From owner-freebsd-questions@FreeBSD.ORG Sat Sep 12 21:54:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29301106566C for ; Sat, 12 Sep 2009 21:54:00 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-yx0-f193.google.com (mail-yx0-f193.google.com [209.85.210.193]) by mx1.freebsd.org (Postfix) with ESMTP id D74738FC13 for ; Sat, 12 Sep 2009 21:53:59 +0000 (UTC) Received: by yxe31 with SMTP id 31so2678492yxe.29 for ; Sat, 12 Sep 2009 14:53:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=W6O3M+kcnCYRvUJTpJMLgC82E7+hZUtUS+JXSKNhZ/c=; b=d+pMKAdjAT1RbOaVJ2Orc40ZCAE6XgZZp4VdFdG1VahGakA65WqGVHmXDNtuWj1UX+ EME+DyQC9LOXT3NVkTKKy/99+f5NBRh8A2jhGmvojzfN7FscR8r8d/4r2LBKSPG+Sjdz C9SN0jKWt3QCZ9Ig3Y53o4CaSs+eL846o0HoY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=SmwvMLRTu+wIJ3/yR5knudXnNEcJ5UZpnzKxyDuLTmZ+OgWI1t4tPdj4tCiCmXom5R oxasv/db05dDnuQkqOdFQ8a3u3IfK7yiCdouNu0sQaoMTFwkZ7xTrocWqpN0lW8re7b2 u3NQbrbma69pyWEdqy6D5RvjSMjm4R0u4W9L0= MIME-Version: 1.0 Received: by 10.91.191.17 with SMTP id t17mr2688733agp.51.1252792439089; Sat, 12 Sep 2009 14:53:59 -0700 (PDT) In-Reply-To: <4AAB9DBC.50007@infracaninophile.co.uk> References: <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com> <4AAB9DBC.50007@infracaninophile.co.uk> From: Maxim Khitrov Date: Sat, 12 Sep 2009 17:53:39 -0400 Message-ID: <26ddd1750909121453t390f1ca0lb030fdd1cc6a4feb@mail.gmail.com> To: Matthew Seaman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Free BSD Questions list Subject: Re: Rule equivalence of pf uRPF check X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 21:54:00 -0000 On Sat, Sep 12, 2009 at 9:10 AM, Matthew Seaman wrote: > Maxim Khitrov wrote: > >> block in quick on $int_if from !$int_if:network >> block in quick on !$int_if from $int_if:network >> block in quick from $int_if >> >> The OpenBSD pf faq states that urpf-check is equivalent to the >> antispoof rules, but the antispoof section lists only the last two >> rules in my example as being equivalent. So the question is does urpf >> imply the first rule as well? > > Not if uRPF is intended as a general mechanism. =C2=A0What would happen i= f > you applied that on $ext_if (the external interface you connect to the re= st > of > the internet with)? =C2=A0It's perfectly valid for packets from other tha= n > directly > attached networks to be passed by your firewall -- not doing that would, = in > fact, > completely negate your web browsing experience... > > =C2=A0 =C2=A0 =C2=A0 =C2=A0Cheers, > > =C2=A0 =C2=A0 =C2=A0 =C2=A0Matthew Right, I should have mentioned that I'm only talking about internal interfaces that serve separate 10.x/16 networks. My $int_if network is 10.0/16 and it is not the default route. Under those conditions, would the urpf check block any traffic coming in on $int_if that doesn't come from 10.0/16 network? If not, can you give me an example of what would be allowed? One other related question. Would urpf block a packet arriving on any physical interface that has a source IP of 127.0.0.1 or any other IP assigned to the firewall itself? - Max