|
||||||||
Looking through status.php at the generated ipfilter ruleset, I see that the anti-spoof rules come before the user rules, is there any particular reason for that? It would be nice if they came after the user rules since the user would be allowed to create his own rules to allow other subnets to be routed through that interface. In absence of those rules the default would still be to deny spoofs. If that isn't possible, maybe an option to disable the anti-spoof rules entirely. I'm not even sure the anti-spoof rules are necessary under normal circumstances, as long as the user creates rules with "INTERFACE subnet" as the source (maybe make this the default source for new rules?) instead of "any" then spoofed packets would be dropped by the default deny rule. |