from what I understand, anti-spoofing should only
accept packets that are from the NICs range or those
specified in the others section, yet, from a simple
test, CP <NG and FW-1> accepted packets comming
from/to the VRRP address, although those were dropped
by the rulebase, I'm wondering why weren't they
dropped in the first place?
Where were they dropped in the rulebase. if it is at rule 0, then it is because of the antispoofing configuration. If you can, please give a bit more information about your setup, and I will try to help you.
Also, I don't know if this is an option, but you might not want to config antispoofing on your firewall, but instead do it on your internet router via access-lists. Just a bit easier in my opinion.