From owner-freebsd-questions@FreeBSD.ORG  Tue Sep  8 15:13:05 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9A97E106566C
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Sep 2009 15:13:05 +0000 (UTC)
	(envelope-from nvass9573@gmx.com)
Received: from mail.gmx.com (unknown [213.165.64.42])
	by mx1.freebsd.org (Postfix) with SMTP id E49188FC1C
	for <freebsd-questions@freebsd.org>;
	Tue,  8 Sep 2009 15:13:04 +0000 (UTC)
Received: (qmail invoked by alias); 08 Sep 2009 15:13:03 -0000
Received: from adsl-233.79.107.87.tellas.gr (EHLO [169.254.0.100])
	[79.107.87.233]
	by mail.gmx.com (mp-eu001) with SMTP; 08 Sep 2009 17:13:03 +0200
X-Authenticated: #46156728
X-Provags-ID: V01U2FsdGVkX19EUooZqslEDvUiUPW0uTGDoPK/nWT643twvn8soX
	z+z9iXHqWFav5C
Message-ID: <4AA67477.2030902@gmx.com>
Date: Tue, 08 Sep 2009 18:12:55 +0300
From: Nikos Vassiliadis <nvass9573@gmx.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tom Worster <fsb@thefsb.org>
References: <C6CBDF48.120A7%fsb@thefsb.org>
In-Reply-To: <C6CBDF48.120A7%fsb@thefsb.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.71
Cc: freebsd-questions@freebsd.org
Subject: Re: "me" in ipfw rules - does it include aliases?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2009 15:13:05 -0000

Tom Worster wrote:
> 
> thanks, nikos.
> 

You're welcome.

> 
> i'm interested in your other comment about the risks of using "me". 

All I am saying is that you have to take care of "attacks" which use "me"
addresses. Packets with source address a "me" address coming from a network
interface, AKA spoofed packets. Apparently a "me" source address cannot
come from a wire[1], right?

It's not a great risk, but you better filter them out. Also, it is very
possible that such attacks are not applicable to your network. Or not.

I am just pointing the possible false sense of security when
using rules which match "me" addresses. Just be sure that "me"
is really your firewall and not somebody else...

for the
> best possible security, i'll post my ruleset here for y'all to review ... or
> maybe not :-)

You better not:)

[1] by the word wire, I mean every non-loopback interface

Nikos