> 22. mai 2021 kl. 17:02 skrev Mogens Jensen <mogens-jen...@protonmail.com>: > > > Let's say I'm assigned dynamic IP address 192.0.2.5/24 from my ISP on > external interface em0. > > antispoof em0 inet > > Expands to: > > block drop in on ! em0 inet from 192.0.2.0/24 to any > block drop in inet from 192.0.2.5 to any > > At some point when the IP lease is renewed, the ISP has assigned an > address from another block e.g. 203.0.113.21/24. I would now think that > the block rules created by antispoof are obsolete as they are not > updated with the new address, but why should it still work without > interface name in parentheses?
I frankly haven’t tested what you describe in real life, but I think you have understood correctly. If your ISP throws you into a different network on lease renewal, things would go sideways without the parentheses. The two expand slightly differently, btw: [Sat May 22 17:14:23] peter@zelda:~$ cat antispoof antispoof for ure0 [Sat May 22 17:14:27] peter@zelda:~$ doas pfctl -vnf antispoof block drop in on ! ure0 inet from 10.10.10.0/24 to any block drop in inet from 10.10.10.10 to any [Sat May 22 17:14:30] peter@zelda:~$ cat antispoof_paren antispoof for (ure0) [Sat May 22 17:14:39] peter@zelda:~$ doas pfctl -vnf antispoof_paren block drop in on ! ure0 from (ure0:network) to any block drop in from (ure0) to any (Just now on a -current machine) All the best, Peter N. M. Hansteen — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP