Date: Sat, 12 Sep 2009 08:49:48 -0400 From: Maxim Khitrov <mkhitrov@gmail.com> To: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Rule equivalence of pf uRPF check Message-ID: <26ddd1750909120549ve82a843k464c1233c3a6f603@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, I sent this message to -pf list, but no one answered. I would like to verify my assumptions regarding the way pf's uRPF check works. I'm using a Soekris net5501 board as a firewall; port 0 ($ext_if) is internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if) are separate lan segments that should not be communicating with one another. Here is the start of my filter section: # Block all traffic by default block log # Broadcast DHCP traffic must be passed before urpf check pass in quick on !$ext_if proto udp from port dhcpc to \ 255.255.255.255 port dhcps # Enable source address spoofing protection block in quick from urpf-failed The question I have is whether the urpf-failed check is equivalent to the following three rules for each of the interfaces (I'm using $int_if as an example here): block in quick on $int_if from !$int_if:network block in quick on !$int_if from $int_if:network block in quick from $int_if The OpenBSD pf faq states that urpf-check is equivalent to the antispoof rules, but the antispoof section lists only the last two rules in my example as being equivalent. So the question is does urpf imply the first rule as well? - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26ddd1750909120549ve82a843k464c1233c3a6f603>