Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 08 Sep 2009 18:12:55 +0300
From:      Nikos Vassiliadis <nvass9573@gmx.com>
To:        Tom Worster <fsb@thefsb.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: "me" in ipfw rules - does it include aliases?
Message-ID:  <4AA67477.2030902@gmx.com>
In-Reply-To: <C6CBDF48.120A7%fsb@thefsb.org>
References:  <C6CBDF48.120A7%fsb@thefsb.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Tom Worster wrote:
> 
> thanks, nikos.
> 

You're welcome.

> 
> i'm interested in your other comment about the risks of using "me". 

All I am saying is that you have to take care of "attacks" which use "me"
addresses. Packets with source address a "me" address coming from a network
interface, AKA spoofed packets. Apparently a "me" source address cannot
come from a wire[1], right?

It's not a great risk, but you better filter them out. Also, it is very
possible that such attacks are not applicable to your network. Or not.

I am just pointing the possible false sense of security when
using rules which match "me" addresses. Just be sure that "me"
is really your firewall and not somebody else...

for the
> best possible security, i'll post my ruleset here for y'all to review ... or
> maybe not :-)

You better not:)

[1] by the word wire, I mean every non-loopback interface

Nikos



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AA67477.2030902>