We do no anti-spoofing based on subnets. This is the extent of our anti-spoofing rules.
# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) antispoof for fxp1 antispoof for fxp2 The antispoof directive expands to a set of filter rules which will block all traffic with a source IP from the network(s) directly connected to the specified interface(s) from entering the system through any other interface. --Bill PS. how many threads are we going to have for this? On 6/1/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Molle Bestefich wrote: > Bill Marquette wrote: >> anti-spoofing is _not_ automated...the antispoof rules/syntax only >> protect the firewalls interfaces itself, not networks behind it. > > I'm having a hard time grasping the exact automatic anti-spoofing > rules in pfSense, I think because they are not visually exposed > anywhere in the webGUI. > > (I have a sneaking suspicion that many m0n0wall and pfSense users > simply disregard the need and/or existence of/for antispoofing because > it's hidden..) most of them wouldn't know they should put them in there anyway. unless this has changed in pfsense, Bill isn't right unless I'm misunderstanding what he's saying. In m0n0wall, it automatically builds hidden antispoofing rules based upon the routing table. Basically like uRPF. I believe pfsense should work identically to this, somebody want to confirm or deny this? This is really only useful for preventing spoofed traffic from passing through the firewall, but that's all the anti-spoofing protection measures you can generally take anyway (in addition to blocking private networks and bogons on the WAN). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]