We do no anti-spoofing based on subnets. This is the extent of our
anti-spoofing rules.
# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for fxp1
antispoof for fxp2
The antispoof directive expands to a set of filter rules which will
block all traffic with a source IP from the network(s) directly connected
to the specified interface(s) from entering the system through any other
interface.
--Bill
PS. how many threads are we going to have for this?
On 6/1/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Molle Bestefich wrote:
> Bill Marquette wrote:
>> anti-spoofing is _not_ automated...the antispoof rules/syntax only
>> protect the firewalls interfaces itself, not networks behind it.
>
> I'm having a hard time grasping the exact automatic anti-spoofing
> rules in pfSense, I think because they are not visually exposed
> anywhere in the webGUI.
>
> (I have a sneaking suspicion that many m0n0wall and pfSense users
> simply disregard the need and/or existence of/for antispoofing because
> it's hidden..)
most of them wouldn't know they should put them in there anyway.
unless this has changed in pfsense, Bill isn't right unless I'm
misunderstanding what he's saying.
In m0n0wall, it automatically builds hidden antispoofing rules based
upon the routing table. Basically like uRPF. I believe pfsense should
work identically to this, somebody want to confirm or deny this? This
is really only useful for preventing spoofed traffic from passing
through the firewall, but that's all the anti-spoofing protection
measures you can generally take anyway (in addition to blocking private
networks and bogons on the WAN).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
