The antispoofing rules, at least, need to be rewritten when the IP address changes.
AFAIK "antispoofing" means to drop packets with source addresses which come from the wrong interface.
Not quite. Spoofed IP packets have false addresses, i.e. source or destination addresses or both. When talking about anti-spoofing, people usually use the terms 'egress filtering' and 'ingress filtering' to mean filtering of outbound and inbound packets respectively. When considered alone, it makes sense to check both source and destination addresses. The source addresses are of higher importance, though.
At least in a common configuration (internal LANs with static addressing and a dialup/DSL/cable uplink) I don't see why the antispoofing rules should change when the local IP address changes.
If you wish to use the IP address of local machines (including and sometimes restricted to the gateway) as qualifiers in your packet filtering rules, you need to update those along with the IP address.
And let me repeat, if you don't trust your ISP, you don't know if you get the correct IP assigned, but if you do, you know that the ISP router will route the correct packets (destination based).
Have you never seen a confused or misconfigured router? What happens when someone breaks into the ISP and changes the configuration of their equipment? Break into an ISP router and configure it to establish GRE tunnels and you've got some very hefty potential problems. It's not about trusting or not trusting the ISP. The problem is that you have practically no influence on their security. OTOH, you have full control over your own systems and you can apply security measures to suit your degree of paranoia. With the ISP's equipment, your options are considerably fewer, very often none.
Well, and since the source addresses are unaffected by your local IP, nothing changes. Usually you may get just *any* IP assigned, and by that you can filter with any as local IP.
That's possible and swinging the balance between security and ease of use towards the latter by some measure I don't wish to discuss. If you can't or are unwilling to do without the IP address information, you need to update the packet filter configuration whenever that changes.
Since at the last time we had such a thread and nobody had a situation requiring rule rewriting (not counting very exotic setups), I still think there is no need for such rewrites in a clean configuration.
As long as everything is properly configured, yes. But security has a concept called 'defense in depth'. If you follow that concept, you will have redundant, overlapping mechanisms. All but one are unnecessary as long as that one left doesn't fail. But what if it does? This, of course, leads to compromise. Those with the need for high security use many layers of defence, those with assets of lower value (or those that don't care or know better) employ fewer layers. In the end it's always a question of cost. Cheers Tobias