"me" in ipfw rules - does it include aliases?

Nikos Vassiliadis nvass9573 at gmx.com
Tue Sep 8 15:13:05 UTC 2009

Tom Worster wrote:
> thanks, nikos.

You're welcome.

> i'm interested in your other comment about the risks of using "me". 

All I am saying is that you have to take care of "attacks" which use "me"
addresses. Packets with source address a "me" address coming from a network
interface, AKA spoofed packets. Apparently a "me" source address cannot
come from a wire[1], right?

It's not a great risk, but you better filter them out. Also, it is very
possible that such attacks are not applicable to your network. Or not.

I am just pointing the possible false sense of security when
using rules which match "me" addresses. Just be sure that "me"
is really your firewall and not somebody else...

for the
> best possible security, i'll post my ruleset here for y'all to review ... or
> maybe not :-)

You better not:)

[1] by the word wire, I mean every non-loopback interface


More information about the freebsd-questions mailing list