Rp_filter

MAuVE

Please let me know whether rp_filter is used by default in pfsense and if yes, how can I disable it.

billm

@MAuVE:

Please let me know whether rp_filter is used by default in pfsense and if yes, how can I disable it.

A google search for that term turns up lots of linux hits.  pfSense runs on FreeBSD, not linux.  Maybe if you can give us more information on what rp_filter does in linux we could tell you if the equivalent is enabled or disabled on our platform.

–Bill

MAuVE

It may have another name in FreeBSD.

For example in IOS it is called "unicast Reverse Path Forwarding (uRPF)"

It is an anti-spoofing measure and most firewalls employ it.

It checks the reverse path of a packet being as expected by the routing table.

Suppose you have a box with two WAN interfaces and you send a ping to an ip address via interface A.

If the routing is asymmetric the response may come through interface B.

If an rp_filter function is active it will drop the response  packet, creating a "black hole".

I am facing such a situation and wanted to see if there is a function like this activated by default in pfSense.

hoba

I think that should be handled by the created states just fine as they are created per interface.

billm

OK, now I understand what you're looking for.  The pf version in FreeBSD doesn't support this at this time, the closest we have is the ability to do interface bound state.  But due to the likelyhood of users having carp pairs with different NICs, we're using a box-wide state table instead of interface bound.  So I think what you want is already our default.

–Bill

MAuVE

Thanks to all responders