PF view spoofed address

There's nothing magical about the antispoof rule. It just triggers on packets coming in on the wrong interface. It does not and cannot trigger on real spoofed packets coming from the internet for example. Because there's simply no way to tell if a packet is faked or not. So there's also no way to tell what the real source address is.
 
There's nothing magical about the antispoof rule. It just triggers on packets coming in on the wrong interface. It does not and cannot trigger on real spoofed packets coming from the internet for example. Because there's simply no way to tell if a packet is faked or not. So there's also no way to tell what the real source address is.

There is any diference if I am talking about the packets on the lan?
 
The antispoof keyword just expands to a set of filtering rules, as Sirdice says. The man page Gives this example expansion:
Code:
     For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
     netmask of 255.255.255.0, the line

       antispoof for wi0 inet

     expands to

       block drop in on ! wi0 inet from 10.0.0.0/24 to any
       block drop in inet from 10.0.0.1 to any

You would have to stop using antispoof and type in the expanded rules yourself with the log directive added. Using the example above:
Code:
block drop log in on ! wi0 inet from 10.0.0.0/24 to any
block drop log in inet from 10.0.0.1 to any

And then analyze the pf log to find the spoofing attempts.
 
Back
Top