PF urpf-failed vs antispoof

[mickey]

Assuming a strictly symmetric routing, is there any difference between using antispoof rules and blocking incoming packets that fail the unicast reverse path forwarding check (urpf-failed)? I've actually seen a number of examples that employ both. Is it necessary to use both? Are there any other advantages of one over the other?

 

[Crest]

The urpf-failed operation isn't limited to a single layer 3 hop.

 

[mickey]

The urpf-failed operation isn't limited to a single layer 3 hop.

What exactly does that mean, and is it relevant in the following scenario:

Lets assume I have a router that has one LAN interface fxp0 (192.168.1.1/24), one WLAN interface wlan0 (192.168.2.1/24) and an internet connection with a single dynamic IPv4 address and default route on the tun0 interface.

Using antispoof rules, I would probably do something like:

antispoof quick for fxp0 inet
antispoof quick for wlan0 inet
antispoof quick for (tun0) inet

Which would give a total of six rules:

block drop in quick on ! fxp0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.1 to any
block drop in quick on ! wlan0 inet from 192.168.2.0/24 to any
block drop in quick inet from 192.168.2.1 to any
block drop in quick on ! tun0 inet from (tun0:network) to any
block drop in quick inet from (tun0) to any

Wouldn't a single rule like this accomplish the same purpose?

block drop in quick from urpf-failed to any

 

[vulpine]

Did you ever find out the answer?

 

[Professor_Fate]

There's absolutely no reason to have both and people who have both are just copying/pasting something they saw on the internet. They both verify the source address of packets on each lan are inbound on the correct interface of each lan, but using different methods. Antispoof looks at the network of each interface and then adds new rules, while urpf-failed looks at the routing table and determines where packets should not be coming from.