PF urpf-failed vs antispoof

Assuming a strictly symmetric routing, is there any difference between using antispoof rules and blocking incoming packets that fail the unicast reverse path forwarding check (urpf-failed)? I've actually seen a number of examples that employ both. Is it necessary to use both? Are there any other advantages of one over the other?
 
The urpf-failed operation isn't limited to a single layer 3 hop.
What exactly does that mean, and is it relevant in the following scenario:

Lets assume I have a router that has one LAN interface fxp0 (192.168.1.1/24), one WLAN interface wlan0 (192.168.2.1/24) and an internet connection with a single dynamic IPv4 address and default route on the tun0 interface.

Using antispoof rules, I would probably do something like:
Code:
antispoof quick for fxp0 inet
antispoof quick for wlan0 inet
antispoof quick for (tun0) inet
Which would give a total of six rules:
Code:
block drop in quick on ! fxp0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.1 to any
block drop in quick on ! wlan0 inet from 192.168.2.0/24 to any
block drop in quick inet from 192.168.2.1 to any
block drop in quick on ! tun0 inet from (tun0:network) to any
block drop in quick inet from (tun0) to any
Wouldn't a single rule like this accomplish the same purpose?
Code:
block drop in quick from urpf-failed to any
 
  • Thanks
Reactions: sdf
Back
Top