[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anti-Spoofing - no-route

What is the difference between the 2 block'ing rules below
... table <garbage> { 127/8, 10/8, 172.16/12, 192.168/16, }
... block in log quick on $exIF from no-route to any
... block in log quick on $exIF from <garbage> to any
i.e. what does no-route expand to.
The manual entry talks about no-route being any address that is not
currently routable. However, as I am routing internally,
does that not get excluded?  I certainly do NOT want to see a source
address coming in from the outside with the same IPs as my own internal
Are these rules redundant or complimentary?
Thanks - Damian
NOW - if my short explanation was too brief or poorly worded ....
PF filters between an external set of IPs, say and an
internal network,
Let's assume I want a bidirectional NAT of on the
host which, behind the firewall is  That is, I want
the outside world to think my host is
The relevant pieces of /etc/pf.conf are
... exIF="de0"
... mail=""
... table <garbage> { 127/8, 10/8, 172.16/12, 192.168/16, }
... scrub in all
... # Expose A Host
... binat on $exIF from to any ->
... # No spoofing
... block in  log quick on $exIF from no-route to any
... block in  log quick on $exIF from <garbage> to any
... # Pass through rules follow later
... pass in quick on $exIF\
...        proto tcp from any to port 25 keep state
P.S. As soon as I saw the 'caveat' on the antispoof rule, I got worried.
When I couldn't find examples, I just gave up on it.
Pacific Engineering Systems International, 22/8 Campbell St, Artarmon NSW 2064
Ph:+61-2-99063377 .. Fx:+61-2-99063468   | unsolicited email not wanted here !
Views and opinions here are mine and not those of any past or present employer