Date: Tue, 07 Aug 2001 10:50:37 -0500 From: "Douglas G. Allen" <dallen@roe35.lth2.k12.il.us> To: "Max Clements" <max.clements@swistgroup.com> Cc: freebsd-security@freebsd.org Subject: RE: ipfw question Message-ID: <200108071050370603.00D90CE5@mail.roe35.lth2.k12.il.us> In-Reply-To: <DEC925D2FB9081448C3D6EC26E85868C5B66@steinmail.swistgroup.com> References: <DEC925D2FB9081448C3D6EC26E85868C5B66@steinmail.swistgroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Max, >Nope - it is the netmask that you associate with one host... >ifconfig is quite corrent in NOT rejecting it as it is right to use it= with >an alias... My understanding, based upon a lot of reading and some discussions on= Sunday in stable, was that only the first IP address was given the true= network mask. The aliases had to be given the 255.255.255.255 netmask in= order for it to work. Otherwise arp might complain, as it did with two= cards active on the machine. >Nope an alias that is on the same IP segment as the main interface must= have >a netmask of all ones, i.e., 255.255.255.255 or of you like that in hex >0xffffffff. Please refer to the FreeBSD /etc/defaults/rc.conf file and= see: >-- >#ifconfig_lo0_alias0=3D"inet 127.0.0.254 netmask 0xffffffff" # Sample= alias >entry. >-- Ok, that backs up my interpretation above. Now, how do I get ipfw to allow= me to write rules that will filter on both rules and leave both the true= address and the alias active and able to see the network? I've tried firewalling just the true address, firewalling both addresses= with the true netmask, firewalling the true address with the actual mask= and the alias with 255.255.255.255. In each case, I could get the true= address see the network and the ipfw rules worked as expected. However= the alias didn't function in each case. Any suggestions? Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108071050370603.00D90CE5>