[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Academic question on pf.conf



On Apr 11, 2005 4:07 PM, William Ross <[email protected]> wrote:
> In my rules section, if I have a first rule such that
> 
> block on (external interface) all;
> 
> Would that not make any following rules about
> spoofing and blocking rfc1918 nets redundant?
> 
I should of thought so, given that pf will block the packet(s) if it
cannot find a matching pass rule. There is also the antispoof rule
which would aid in blocking spoofed packets, see pf.conf(5) under the
heading "BLOCKING SPOOFED TRAFFIC".
I have a table which contains the RFC1918 address plus a few others
like 127.0..0.1/8, 255.255.255.255/32, 0.0.0.0/32 going by my pfctl
-vvvsT:
-pa---  Reserved
        Addresses:   0
        Cleared:     Mon Apr 11 02:40:01 2005
        References:  [ Anchors: 0                  Rules: 0                  ]
        Evaluations: [ NoMatch: 0                  Match: 0                  ]
        In/Block:    [ Packets: 0                  Bytes: 0                  ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        In/XPass:    [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
        Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
hasn't really done anthing? so, if your pass rules are "correct" as to
what traffic you are allowing in/out from your external interface you
should not really need a spoofing rule(s), although in reality it is
probably better to be safe then sorry? how paranoid you are?
probably someone will say otherwise.
Kimi
-- 
spamassassinexception