[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

antispoof vs. ip aliases



$ cat /etc/hostname.fxp0                                                             
inet 10.0.3.20 255.0.0.0 NONE 
inet alias 10.1.3.20 255.0.0.0
inet alias 10.2.3.20 255.0.0.0
inet alias 10.3.3.20 255.0.0.0
inet alias 10.4.3.20 255.0.0.0
inet alias 10.5.3.20 255.0.0.0
$ grep antispoof /etc/pf.conf
antispoof for fxp0
Loading this ruleset will result in,
$ pfctl -sr | grep '10.0.0.0/8' 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
Hence, we get a block statement for each alias, which is I guess fine if
aliases have different masks, but in this case, it's kind a unneccesary.
No?
This is on x86/-current from 4 days ago.
// haver