Date: Tue, 10 Jun 2003 23:31:59 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Andre Guibert de Bruet <andy@siliconlandmark.com> Cc: current@freebsd.org Subject: Re: ipfw's "me" keyword Message-ID: <20030611043159.GC48233@dan.emsphone.com> In-Reply-To: <20030611001220.X56112@alpha.siliconlandmark.com> References: <20030611001220.X56112@alpha.siliconlandmark.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 11), Andre Guibert de Bruet said: > Hi, > > I've been fooling around a bit with IPFW2 and I came across interesting > behavior with regards to the "me" keyword. It appears as if smb broadcasts > (UDP 137,138) do not get matched when denying packets with a rule similar > to the following: > deny udp from 192.168.1.0/24 to me dst-port 137,138 > > I have a rule right after the one above which logs and I'm getting the > following in my syslog: > Jun 11 00:16:04 bling kernel: ipfw: 65530 Reject UDP 192.168.1.40:138 192.168.1.255:138 in via dc0 > > Now I realize that the broadcast address doesn't match the network > card's IP address, which is why the packet isn't getting matched. But > do we really want this behavior? Don't broadcasts affect all machines > on the subnet and therefore qualify for "me" matching? "me" was more designed for allow rules when you have a dynamic IP. It lets you set up rules that are guaranteed to work no matter what your current IP is. Does this do what you want: deny udp from 192.168.1.0/24 to any dst-port 137,138 in via dc0 -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030611043159.GC48233>