ipfw's "me" keyword
Andre Guibert de Bruet
andy at siliconlandmark.com
Tue Jun 10 22:25:16 PDT 2003
On Tue, 10 Jun 2003, Dan Nelson wrote:
> In the last episode (Jun 11), Andre Guibert de Bruet said:
> >
> > Now I realize that the broadcast address doesn't match the network
> > card's IP address, which is why the packet isn't getting matched. But
> > do we really want this behavior? Don't broadcasts affect all machines
> > on the subnet and therefore qualify for "me" matching?
>
> "me" was more designed for allow rules when you have a dynamic IP. It
> lets you set up rules that are guaranteed to work no matter what your
> current IP is. Does this do what you want:
>
> deny udp from 192.168.1.0/24 to any dst-port 137,138 in via dc0
I ended up using that exact rule when I realized what was going on; And
yes it does drop the packets as intended.
> Andre Guibert de Bruet | Enterprise Software Consultant >
> Silicon Landmark, LLC. | http://siliconlandmark.com/ >
More information about the freebsd-current
mailing list