On 4/18/06, cdillon at wolves dot k12 dot mo dot us <cdillon at wolves dot k12 dot mo dot us> wrote:
> Looking through status.php at the generated ipfilter ruleset, I see
> that the anti-spoof rules come before the user rules, is there any
> particular reason for that? It would be nice if they came after the
> user rules since the user would be
> allowed to create his own rules to allow other subnets to be routed
> through that interface.
Static routes open the antispoofing rules for the subnets defined in
the routes. That's the only supported, and proper, way to have
multiple IP subnets off the same interface. Without static routes,
m0n0wall couldn't return traffic to those networks from the source
interface, so there's no sense in passing it.
The way the antispoofing rules are generated and applied is a good
thing. It's essentially just uRPF, where if your routing table says
that particular network is not off of the source interface, drop the
traffic. There's no way it can drop any legit traffic in a sane,
properly configured network setup.