The antispoofing rules are automatically generated based on your routing configuration.
Generally, traffic is only allowed if the IP address seen in the communications corresponds to
the IP address space that is defined for routing through that interface in the Routing view.
Normally, communications require this routing information in any case for any reply packets to
be correctly routed, but in cases where communications are one-way, you can make exceptions
to the antispoofing in the Antispoofing view.
By default, the antispoofing tree is read by picking the most specific entry defined in the view
(for example, a definition of a single IP address is picked over a definition of a whole network). If
some IP address must be allowed access through two or more different interfaces, the definition
for each interface must be at the same level of detail for the IP address in question.