From owner-freebsd-current@FreeBSD.ORG  Tue Jun 10 22:25:15 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED87837B405
	for <current@freebsd.org>; Tue, 10 Jun 2003 22:25:15 -0700 (PDT)
Received: from alpha.siliconlandmark.com (alpha.siliconlandmark.com
	[209.69.98.4])	by mx1.FreeBSD.org (Postfix) with ESMTP id 3C24543FDD
	for <current@freebsd.org>; Tue, 10 Jun 2003 22:25:15 -0700 (PDT)
	(envelope-from andy@siliconlandmark.com)
Received: from alpha.siliconlandmark.com (localhost [127.0.0.1])
	h5B5PCAQ096943;	Wed, 11 Jun 2003 01:25:12 -0400 (EDT)
	(envelope-from andy@siliconlandmark.com)
Received: from localhost (andy@localhost)h5B5PBxF096940;
	Wed, 11 Jun 2003 01:25:11 -0400 (EDT)
	(envelope-from andy@siliconlandmark.com)
X-Authentication-Warning: alpha.siliconlandmark.com: andy owned process doing
	-bs
Date: Wed, 11 Jun 2003 01:25:11 -0400 (EDT)
From: Andre Guibert de Bruet <andy@siliconlandmark.com>
To: Dan Nelson <dnelson@allantgroup.com>
In-Reply-To: <20030611043159.GC48233@dan.emsphone.com>
Message-ID: <20030611012229.Q56112@alpha.siliconlandmark.com>
References: <20030611001220.X56112@alpha.siliconlandmark.com>
 <20030611043159.GC48233@dan.emsphone.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@freebsd.org
Subject: Re: ipfw's "me" keyword
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2003 05:25:16 -0000


On Tue, 10 Jun 2003, Dan Nelson wrote:

> In the last episode (Jun 11), Andre Guibert de Bruet said:
> >
> > Now I realize that the broadcast address doesn't match the network
> > card's IP address, which is why the packet isn't getting matched. But
> > do we really want this behavior? Don't broadcasts affect all machines
> > on the subnet and therefore qualify for "me" matching?
>
> "me" was more designed for allow rules when you have a dynamic IP.  It
> lets you set up rules that are guaranteed to work no matter what your
> current IP is.  Does this do what you want:
>
> deny udp from 192.168.1.0/24 to any dst-port 137,138 in via dc0

I ended up using that exact rule when I realized what was going on; And
yes it does drop the packets as intended.

> Andre Guibert de Bruet | Enterprise Software Consultant >
> Silicon Landmark, LLC. | http://siliconlandmark.com/    >