PF BCP38 PF implementation

[John Watson]

BCP (Best Common Practice) 38 concerns IP address spoofing and is recommended by everyone including FreeBSD. PF has the antiproof keyword. I have three questions:
Is PF antispoof an adequate implementation of BCP38?
Should antispoof be run on all interfaces apart from loopback ?
If an interface is using DHCP and loses its IP address, antispoof will likely drop all packets. Are there any unintended consequences to this after reconnection?
Thanks for any feedback.

 

[SirDice]

If an interface is using DHCP and loses its IP address, antispoof will likely drop all packets.

If the interface loses its IP address packets won't even arrive any more, so there's nothing to drop.

 

[max21]

....
Should antispoof be run on all interfaces apart from loopback ?

This is my first time hearing about BCP38. The rules below may be an over-kill but it covers everything and I been using it for years. pftop is now a boar. It seems that the bad guys and gals care nothing of me anymore.

IN THIS ORDER:

antispoof for lo
antispoof for $_nic inet
antispoof quick for ($_nic)
block in quick inet6 all
block out quick inet6 all

block in on $_nic all                                                       
block out on $_nic all

So yes, I think it should run on all interfaces. Why not when it can?

I'm glad I caught your thread. It lead me to change lo0 to lo. So I had it incomplete all this time. But I know it works, I monitor well.

 

[John Watson]

If the interface loses its IP address packets won't even arrive any more, so there's nothing to drop.

I was thinking of an event where the interface temporarily loses its IP address or doesn't have one assigned until after PF loads a ruleset.