From owner-freebsd-questions@FreeBSD.ORG Tue Feb 17 20:50:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 513E316A4CE for ; Tue, 17 Feb 2004 20:50:28 -0800 (PST) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E0843D1F for ; Tue, 17 Feb 2004 20:50:28 -0800 (PST) (envelope-from aardvark@saintaardvarkthecarpeted.com) Received: from pd2mr3so.prod.shaw.ca (pd2mr3so-ser.prod.shaw.ca [10.0.141.108])2003))freebsd-questions@freebsd.org; Tue, 17 Feb 2004 21:47:09 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HT900IMBJYLUZ@l-daemon> for freebsd-questions@freebsd.org; Tue, 17 Feb 2004 21:47:09 -0700 (MST) Received: from francisco.saintaardvarkthecarpeted.com (h24-87-202-31.vc.shawcable.net [24.87.202.31]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HT900I5NJYKC4@l-daemon> for freebsd-questions@freebsd.org; Tue, 17 Feb 2004 21:47:09 -0700 (MST) Received: from hardesty.hardesty.saintaardvarkthecarpeted.com (hardesty.saintaardvarkthecarpeted.com [192.168.23.1]) by francisco.saintaardvarkthecarpeted.com (8.12.10/8.12.8) with ESMTP id i1I4mWvR044315; Tue, 17 Feb 2004 20:48:32 -0800 Received: from aardvark by hardesty.hardesty.saintaardvarkthecarpeted.com with local (Exim 3.36 #1 (Debian)) id 1AtJb7-0005nm-00; Tue, 17 Feb 2004 20:46:09 -0800 Date: Tue, 17 Feb 2004 20:46:09 -0800 From: Saint Aardvark the Carpeted In-reply-to: <000701c3f597$f4a53380$3501a8c0@peter> Sender: Debian User To: Peter Rosa Message-id: <20040218044609.GG2197@hardesty.saintaardvarkthecarpeted.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.5.5.1+cvs20040105i References: <000701c3f597$f4a53380$3501a8c0@peter> cc: FreeBSD Questions Subject: Re: IPFW rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 04:50:28 -0000 Peter Rosa disturbed my sleep to write: > please what's the difference between this ipfw rules: > > ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} This denies broadcasts coming in to your machine through the outside interface. The rule number is specified here, and it's rather high; if it's not stopping the traffic you think it should, there may be another rule earlier that's allowing it through. I'm not certain, but I think the address "0.0.0.255:0.0.0.255" means "anything ending in .255" -- the part after the colon is a netmask, and for ipfw it means "only the last byte of the address needs to match". This would catch a broadcast going to your local network if it was a /24. For example, if your local network was 192.168.100.0/24 ("/24" is the same netmask as 255.255.255.0), then this rule would stop broadcasts on that network (going to 192.168.100.255). It would *not* stop broadcasts if you had a smaller or larger netmask, where the broadcast address didn't end in .255. > ${fwcmd} add deny all from any to 255.255.255.255 This denies broadcasts going in any direction (from or to your machine), no matter what the interface. The address specified is different from the first -- it's 255.255.255.255, and the whole address needs to match. Usually you'd see this address when the host is trying to figure out its IP address -- during DHCP requests, say. Hope that helps, Hugh -- Saint Aardvark the Carpeted aardvark@saintaardvarkthecarpeted.com Because the plural of Anecdote is Myth.