How does antispoof in pfSense work?
-
This thread was really helpful and the flexibility that pfsense gives here is amazing
However, it should have been better documented in the docs, in anti spoofing section
Is it worth a commit to propose a change in the docs?
Here's a somehow atypical use of this specificity in the anti spoofing rule:
https://forum.netgate.com/topic/163088/l3-switch-and-pfsense-design-advise/16?_=1641114477363 -
@apollo13 said in How does antispoof in pfSense work?:
Therefor antispoff will match after any user defined rules by default if I understand it correctly.
Doesn't it depend on where the antispoof rules are in the ruleset? I'm looking at the expanded rules and it looks like the expanded antispoof rules are above my userrules anchor. Since they don't have a quick on the antispoof, but are physically above userrules, shouldn't it get evaluated first but not acted on unless there is no other rule matching the packet? The "last match wins" behavior?
Everything else said in this thread is the behavior I've seen; it's just that specific statement I think is not quite correct.
If I'm wrong, please correct me. -
Yes, exactly that. I think that statement was intended to imply the same; the antispoof rules match traffic before the user rules but without 'quick' set their action is not applied until after the user rules. Therefore it's possible to by-pass the antispoof rules with an excessively wide user rule.
Pass rules should use actual subnet(s) they apply to as source where possible.
The Interface group example above is an interesting one though.Steve
