Date: Wed, 11 Jun 2003 00:21:37 -0400 (EDT) From: Andre Guibert de Bruet <andy@siliconlandmark.com> To: current@freebsd.org Subject: ipfw's "me" keyword Message-ID: <20030611001220.X56112@alpha.siliconlandmark.com>
next in thread | raw e-mail | index | archive | help
Hi, I've been fooling around a bit with IPFW2 and I came across interesting behavior with regards to the "me" keyword. It appears as if smb broadcasts (UDP 137,138) do not get matched when denying packets with a rule similar to the following: deny udp from 192.168.1.0/24 to me dst-port 137,138 I have a rule right after the one above which logs and I'm getting the following in my syslog: Jun 11 00:16:04 bling kernel: ipfw: 65530 Reject UDP 192.168.1.40:138 192.168.1.255:138 in via dc0 Now I realize that the broadcast address doesn't match the network card's IP address, which is why the packet isn't getting matched. But do we really want this behavior? Don't broadcasts affect all machines on the subnet and therefore qualify for "me" matching? Thanks for any insight. > Andre Guibert de Bruet | Enterprise Software Consultant > > Silicon Landmark, LLC. | http://siliconlandmark.com/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030611001220.X56112>