Date: Tue, 08 Sep 2009 18:12:55 +0300 From: Nikos Vassiliadis <nvass9573@gmx.com> To: Tom Worster <fsb@thefsb.org> Cc: freebsd-questions@freebsd.org Subject: Re: "me" in ipfw rules - does it include aliases? Message-ID: <4AA67477.2030902@gmx.com> In-Reply-To: <C6CBDF48.120A7%fsb@thefsb.org> References: <C6CBDF48.120A7%fsb@thefsb.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Worster wrote: > > thanks, nikos. > You're welcome. > > i'm interested in your other comment about the risks of using "me". All I am saying is that you have to take care of "attacks" which use "me" addresses. Packets with source address a "me" address coming from a network interface, AKA spoofed packets. Apparently a "me" source address cannot come from a wire[1], right? It's not a great risk, but you better filter them out. Also, it is very possible that such attacks are not applicable to your network. Or not. I am just pointing the possible false sense of security when using rules which match "me" addresses. Just be sure that "me" is really your firewall and not somebody else... for the > best possible security, i'll post my ruleset here for y'all to review ... or > maybe not :-) You better not:) [1] by the word wire, I mean every non-loopback interface Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AA67477.2030902>