antispoof
rule. It just triggers on packets coming in on the wrong interface. It does not and cannot trigger on real spoofed packets coming from the internet for example. Because there's simply no way to tell if a packet is faked or not. So there's also no way to tell what the real source address is.There's nothing magical about theantispoof
rule. It just triggers on packets coming in on the wrong interface. It does not and cannot trigger on real spoofed packets coming from the internet for example. Because there's simply no way to tell if a packet is faked or not. So there's also no way to tell what the real source address is.
antispoof
keyword just expands to a set of filtering rules, as Sirdice says. The man page Gives this example expansion: For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
netmask of 255.255.255.0, the line
antispoof for wi0 inet
expands to
block drop in on ! wi0 inet from 10.0.0.0/24 to any
block drop in inet from 10.0.0.1 to any
antispoof
and type in the expanded rules yourself with the log
directive added. Using the example above:block drop log in on ! wi0 inet from 10.0.0.0/24 to any
block drop log in inet from 10.0.0.1 to any