from what I understand, anti-spoofing should only
accept packets that are from the NICs range or those
specified in the others section, yet, from a simple
test, CP <NG and FW-1> accepted packets comming
from/to the VRRP address, although those were dropped
by the rulebase, I'm wondering why weren't they
dropped in the first place?