[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Anti-spoof rules preventing routing other subnets
 Date:  Tue, 18 Apr 2006 19:22:18 -0400
On 4/18/06, cdillon at wolves dot k12 dot mo dot us <cdillon at wolves dot k12 dot mo dot us> wrote:
> Looking through status.php at the generated ipfilter ruleset, I see
> that the anti-spoof rules come before the user rules, is there any
> particular reason for that?  It would be nice if they came after the
> user rules since the user would be
> allowed to create his own rules to allow other subnets to be routed
> through that interface.

Static routes open the antispoofing rules for the subnets defined in
the routes.  That's the only supported, and proper, way to have
multiple IP subnets off the same interface.  Without static routes,
m0n0wall couldn't return traffic to those networks from the source
interface, so there's no sense in passing it.

The way the antispoofing rules are generated and applied is a good
thing.  It's essentially just uRPF, where if your routing table says
that particular network is not off of the source interface, drop the
traffic.  There's no way it can drop any legit traffic in a sane,
properly configured network setup.