[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new pf in openbsd 3.2

i read the new pf man page but i still have a couple of doubts...

the example in the man page (which IIRC is still the same since 3.1)
uses this rule (let's call it example1)

spoof="{, etc... }"
block in quick on $ext_if from $spoof to any

i read about the new antispoof keywork and how it expands, i read also
about the no-route keyword. if i understood them correclty i should use
them as follow (let's call it example2)

antispoof for $int_if inet
block in quick on $ext_if from no-route to any

now i admit i didn't understand two things: "no-route" means just the
reserved networks just like the ones listed in the $spoof example? or it
include other addresses? can i replace example1 with example2 in my
rules or it wouldn't block some kind of spoofed packets? or maybe i
should use both example1 and example2?

basically i didn't understand example2 so i don't know when and how to
use it :/

btw i wasn't also able to see which are exaclty  the new changes in pf
syntax., it seems nothing has changed since 3.1..



  "Better true to yourself
Than a perfect shadow
       Of somebody else
     An empty shell"

(MrBig, My new religion)