From owner-freebsd-questions@FreeBSD.ORG  Tue Sep  8 06:59:06 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0FE1F1065679
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Sep 2009 06:59:06 +0000 (UTC)
	(envelope-from nvass9573@gmx.com)
Received: from mail.gmx.com (unknown [213.165.64.42])
	by mx1.freebsd.org (Postfix) with SMTP id 5B8518FC18
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Sep 2009 06:59:05 +0000 (UTC)
Received: (qmail invoked by alias); 08 Sep 2009 06:59:03 -0000
Received: from adsl-233.79.107.87.tellas.gr (EHLO [169.254.0.100])
	[79.107.87.233]
	by mail.gmx.com (mp-eu005) with SMTP; 08 Sep 2009 08:59:03 +0200
X-Authenticated: #46156728
X-Provags-ID: V01U2FsdGVkX19EuAAXQg1EMCjdRR9myEZHl/TVcc9aU7d8uwc+SY
	LCoHDc3s3gC+ED
Message-ID: <4AA600AF.9030701@gmx.com>
Date: Tue, 08 Sep 2009 09:58:55 +0300
From: Nikos Vassiliadis <nvass9573@gmx.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tom Worster <fsb@thefsb.org>
References: <C6CAF7A0.12015%fsb@thefsb.org>
In-Reply-To: <C6CAF7A0.12015%fsb@thefsb.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.71
Cc: freebsd-questions@freebsd.org
Subject: Re: "me" in ipfw rules - does it include aliases?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2009 06:59:06 -0000

Tom Worster wrote:
> the ipfw man page says:
> 
>   me   matches any IP address configured on an interface in the system.
> 
> which suggests that if i code my rules using "me" then when i add an alias
> ip address to an interface with ifconfig, these "me" rules will immediately
> work for the newly added address as they do for other addresses.

> is that correct?

Yes, the "me" keyword is expanded to whatever IP address is
assigned on any interface in the system. It's updated whenever
an IP address is added to or removed from an interface. Use the
simple ruleset bellow to test it yourself:

lab# ipfw list
00100 allow ip from me to me
65535 deny ip from any to any

add alias & ping alias => success
remove alias & ping alias => failure

It's a really useful keyword, yet it's not panacea. When
using it, one has to think the possibility of an attacker
who uses "me" addresses. Use some interface checking as
well in your ruleset...

Nikos