February 14th, 2002, 04:52 PM
from what I understand, anti-spoofing should only
accept packets that are from the NICs range or those
specified in the others section, yet, from a simple
test, CP <NG and FW-1> accepted packets comming
from/to the VRRP address, although those were dropped
by the rulebase, I'm wondering why weren't they
dropped in the first place?
February 14th, 2002, 05:43 PM
Where were they dropped in the rulebase. if it is at rule 0, then it is because of the antispoofing configuration. If you can, please give a bit more information about your setup, and I will try to help you.
Also, I don't know if this is an option, but you might not want to config antispoofing on your firewall, but instead do it on your internet router via access-lists. Just a bit easier in my opinion.