Date: Wed, 11 Jun 2003 01:25:11 -0400 (EDT) From: Andre Guibert de Bruet <andy@siliconlandmark.com> To: Dan Nelson <dnelson@allantgroup.com> Cc: current@freebsd.org Subject: Re: ipfw's "me" keyword Message-ID: <20030611012229.Q56112@alpha.siliconlandmark.com> In-Reply-To: <20030611043159.GC48233@dan.emsphone.com> References: <20030611001220.X56112@alpha.siliconlandmark.com> <20030611043159.GC48233@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Jun 2003, Dan Nelson wrote: > In the last episode (Jun 11), Andre Guibert de Bruet said: > > > > Now I realize that the broadcast address doesn't match the network > > card's IP address, which is why the packet isn't getting matched. But > > do we really want this behavior? Don't broadcasts affect all machines > > on the subnet and therefore qualify for "me" matching? > > "me" was more designed for allow rules when you have a dynamic IP. It > lets you set up rules that are guaranteed to work no matter what your > current IP is. Does this do what you want: > > deny udp from 192.168.1.0/24 to any dst-port 137,138 in via dc0 I ended up using that exact rule when I realized what was going on; And yes it does drop the packets as intended. > Andre Guibert de Bruet | Enterprise Software Consultant > > Silicon Landmark, LLC. | http://siliconlandmark.com/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030611012229.Q56112>