[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: antispoof vs. ip aliases



On Sun, Mar 30, 2003 at 06:16:10PM +0200, Srebrenko Sehic wrote:
> $ cat /etc/hostname.fxp0                                                             
> inet 10.0.3.20 255.0.0.0 NONE 
> inet alias 10.1.3.20 255.0.0.0
> inet alias 10.2.3.20 255.0.0.0
> inet alias 10.3.3.20 255.0.0.0
> inet alias 10.4.3.20 255.0.0.0
> inet alias 10.5.3.20 255.0.0.0
> 
> $ grep antispoof /etc/pf.conf
> antispoof for fxp0
> 
> Loading this ruleset will result in,
> 
> $ pfctl -sr | grep '10.0.0.0/8' 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> block drop in on ! fxp0 inet from 10.0.0.0/8 to any 
> 
> Hence, we get a block statement for each alias, which is I guess fine if
> aliases have different masks, but in this case, it's kind a unneccesary.
> 
> No?
yes, that is known. I don't see a real world problem with this; the effect
is zero as skip steps solve that nicely.
-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)