Date: Mon, 06 Jan 2003 11:31:21 -0600 From: "Jack L. Stone" <jackstone@sage-one.net> To: Jonathan Belson <jon@witchspace.com>, Ceri Davies <setantae@submonkey.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: [Q] ipfw and 'me' Message-ID: <3.0.5.32.20030106113121.011ef950@mail.sage-one.net> In-Reply-To: <3E19BB9E.6010207@witchspace.com> References: <3E19B689.2090207@witchspace.com> <20030106171001.GA13668@submonkey.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:23 PM 1.6.2003 +0000, Jonathan Belson wrote: >Ceri Davies wrote: >> On Mon, Jan 06, 2003 at 05:02:01PM +0000, Jonathan Belson wrote: >> >>>I've just been looking into the 'me' option for ipfw: >>> >>>me matches any IP address configured on an interface in the >>> system. The address list is evaluated at the time the >>> packet is analysed. >>> >>>Since the machine is a gateway, it has two network cards. Will >>>'me' match *both* IP address or just the first one it comes >>>across? I only really want it to match the IP address of the >>>external interface, not the internal one. >> >> Both, I'm afraid. > >Hmm, I suppose since tests for IP spoofing through the external >interface have already been carried out by that point, it isn't >that much of a problem. > >Does the fancy-pants new IPFW2 allow more control for 'me'? > > >--Jon > The best way to do this is to use "awk" to determine and set a variable for the external IP every time it changes and then refer to that variable in your rules. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20030106113121.011ef950>