From owner-freebsd-security  Tue Aug  7  8:45: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.roe35.lth2.k12.il.us (unknown [209.175.240.58])
	by hub.freebsd.org (Postfix) with ESMTP id 8FA8437B401
	for <freebsd-security@freebsd.org>; Tue,  7 Aug 2001 08:45:04 -0700 (PDT)
	(envelope-from dallen@roe35.lth2.k12.il.us)
Received: from dougs_laptop (dougs_laptop [209.175.240.20])
	by mail.roe35.lth2.k12.il.us (8.9.3/8.9.3) with ESMTP id KAA42759;
	Tue, 7 Aug 2001 10:49:03 -0500 (CDT)
	(envelope-from dallen@roe35.lth2.k12.il.us)
Message-ID: <200108071050370603.00D90CE5@mail.roe35.lth2.k12.il.us>
In-Reply-To: <DEC925D2FB9081448C3D6EC26E85868C5B66@steinmail.swistgroup.com>
References: <DEC925D2FB9081448C3D6EC26E85868C5B66@steinmail.swistgroup.com>
X-Mailer: Calypso Version 3.00.01.02 (1)
Date: Tue, 07 Aug 2001 10:50:37 -0500
From: "Douglas G. Allen" <dallen@roe35.lth2.k12.il.us>
To: "Max Clements" <max.clements@swistgroup.com>
Cc: freebsd-security@freebsd.org
Subject: RE: ipfw question
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Max,

>Nope - it is the netmask that you associate with one host...
>ifconfig is quite corrent in NOT rejecting it as it is right to use it=
 with
>an alias...

My understanding, based upon a lot of reading and some discussions on=
 Sunday in stable, was that only the first IP address was given the true=
 network mask.  The aliases had to be given the 255.255.255.255 netmask in=
 order for it to work.  Otherwise arp might complain, as it did with two=
 cards active on the machine.

>Nope an alias that is on the same IP segment as the main interface must=
 have
>a netmask of all ones, i.e., 255.255.255.255 or of you like that in hex
>0xffffffff.  Please refer to the FreeBSD /etc/defaults/rc.conf file and=
 see:
>--
>#ifconfig_lo0_alias0=3D"inet 127.0.0.254 netmask 0xffffffff" # Sample=
 alias
>entry.
>--

Ok, that backs up my interpretation above.  Now, how do I get ipfw to allow=
 me to write rules that will filter on both rules and leave both the true=
 address and the alias active and able to see the network?

I've tried firewalling just the true address, firewalling both addresses=
 with the true netmask, firewalling the true address with the actual mask=
 and the alias with 255.255.255.255.  In each case, I could get the true=
 address see the network and the ipfw rules worked as expected.  However=
 the alias didn't function in each case.  Any suggestions?

						Doug


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message