Date: Tue, 08 Sep 2009 09:58:55 +0300 From: Nikos Vassiliadis <nvass9573@gmx.com> To: Tom Worster <fsb@thefsb.org> Cc: freebsd-questions@freebsd.org Subject: Re: "me" in ipfw rules - does it include aliases? Message-ID: <4AA600AF.9030701@gmx.com> In-Reply-To: <C6CAF7A0.12015%fsb@thefsb.org> References: <C6CAF7A0.12015%fsb@thefsb.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Worster wrote: > the ipfw man page says: > > me matches any IP address configured on an interface in the system. > > which suggests that if i code my rules using "me" then when i add an alias > ip address to an interface with ifconfig, these "me" rules will immediately > work for the newly added address as they do for other addresses. > is that correct? Yes, the "me" keyword is expanded to whatever IP address is assigned on any interface in the system. It's updated whenever an IP address is added to or removed from an interface. Use the simple ruleset bellow to test it yourself: lab# ipfw list 00100 allow ip from me to me 65535 deny ip from any to any add alias & ping alias => success remove alias & ping alias => failure It's a really useful keyword, yet it's not panacea. When using it, one has to think the possibility of an attacker who uses "me" addresses. Use some interface checking as well in your ruleset... Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AA600AF.9030701>