[ previous ] [ next ] [ threads ]
 
 From:  cdillon at wolves dot k12 dot mo dot us
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Anti-spoof rules preventing routing other subnets
 Date:  Tue, 18 Apr 2006 13:09:05 -0500
Looking through status.php at the generated ipfilter ruleset, I see  
that the anti-spoof rules come before the user rules, is there any  
particular reason for that?  It would be nice if they came after the  
user rules since the user would be
allowed to create his own rules to allow other subnets to be routed
through that interface.  In absence of those rules the default would
still be to deny spoofs.  If that isn't possible, maybe an option to
disable the anti-spoof rules entirely.

I'm not even sure the anti-spoof rules are necessary under normal
circumstances, as long as the user creates rules with "INTERFACE
subnet" as the source (maybe make this the default source for new  
rules?) instead
of "any" then spoofed packets would be dropped by the default deny
rule.