"me" in ipfw rules - does it include aliases?
Nikos Vassiliadis
nvass9573 at gmx.com
Tue Sep 8 15:13:05 UTC 2009
Tom Worster wrote:
>
> thanks, nikos.
>
You're welcome.
>
> i'm interested in your other comment about the risks of using "me".
All I am saying is that you have to take care of "attacks" which use "me"
addresses. Packets with source address a "me" address coming from a network
interface, AKA spoofed packets. Apparently a "me" source address cannot
come from a wire[1], right?
It's not a great risk, but you better filter them out. Also, it is very
possible that such attacks are not applicable to your network. Or not.
I am just pointing the possible false sense of security when
using rules which match "me" addresses. Just be sure that "me"
is really your firewall and not somebody else...
for the
> best possible security, i'll post my ruleset here for y'all to review ... or
> maybe not :-)
You better not:)
[1] by the word wire, I mean every non-loopback interface
Nikos
More information about the freebsd-questions
mailing list