From owner-freebsd-questions@FreeBSD.ORG Tue Sep 8 14:15:39 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E437C1065692 for ; Tue, 8 Sep 2009 14:15:39 +0000 (UTC) (envelope-from fsb@thefsb.org) Received: from smtp114.iad.emailsrvr.com (smtp114.iad.emailsrvr.com [207.97.245.114]) by mx1.freebsd.org (Postfix) with ESMTP id BA7938FC19 for ; Tue, 8 Sep 2009 14:15:39 +0000 (UTC) Received: from relay21.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay21.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id 1373E1B404E; Tue, 8 Sep 2009 10:15:39 -0400 (EDT) Received: by relay21.relay.iad.mlsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 02B4B1B431A; Tue, 8 Sep 2009 10:15:37 -0400 (EDT) User-Agent: Microsoft-Entourage/12.10.0.080409 Date: Tue, 08 Sep 2009 10:15:36 -0400 From: Tom Worster To: Nikos Vassiliadis Message-ID: Thread-Topic: "me" in ipfw rules - does it include aliases? Thread-Index: AcowjtWQ1iOfgpxd1EetYy9rLWbEwg== In-Reply-To: <4AA600AF.9030701@gmx.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: "me" in ipfw rules - does it include aliases? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2009 14:15:40 -0000 On 9/8/09 2:58 AM, "Nikos Vassiliadis" wrote: > Tom Worster wrote: >> the ipfw man page says: >> >> me matches any IP address configured on an interface in the system. >> >> which suggests that if i code my rules using "me" then when i add an alias >> ip address to an interface with ifconfig, these "me" rules will immediately >> work for the newly added address as they do for other addresses. > >> is that correct? > > Yes, the "me" keyword is expanded to whatever IP address is > assigned on any interface in the system. It's updated whenever > an IP address is added to or removed from an interface. Use the > simple ruleset bellow to test it yourself: > > lab# ipfw list > 00100 allow ip from me to me > 65535 deny ip from any to any > > add alias & ping alias => success > remove alias & ping alias => failure > > It's a really useful keyword, yet it's not panacea. When > using it, one has to think the possibility of an attacker > who uses "me" addresses. Use some interface checking as > well in your ruleset... > > Nikos thanks, nikos. my rules were all written with "me" and my apache config didn't mention any ip addresses so i went ahead and cut over service from a primary server to its hot standby by removing the external ip address on the primary and adding it as an alias to the standby's external interface. both servers are attached to the same upstream ethernet bridge (not necessarily the most reliable network config, i know) and it worked well. i'm interested in your other comment about the risks of using "me". for the best possible security, i'll post my ruleset here for y'all to review ... or maybe not :-)