1*bc4097aaSchristos# 2*bc4097aaSchristos# For a network server, which has two interfaces, 128.1.40.1 (le0) and 3*bc4097aaSchristos# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is 4*bc4097aaSchristos# connected to the majority of the network, whilst le0 is connected to a 5*bc4097aaSchristos# leaf subnet. We're not concerned about filtering individual services 6*bc4097aaSchristos# or 7*bc4097aaSchristos# 8*bc4097aaSchristospass in quick on le0 from 128.1.40.0/24 to any 9*bc4097aaSchristosblock in log quick on le0 from any to any 10*bc4097aaSchristosblock in log quick on le1 from 128.1.1.0/24 to any 11*bc4097aaSchristospass in quick on le1 from any to any 12