In the last episode (Jun 11), Andre Guibert de Bruet said: > Hi, > > I've been fooling around a bit with IPFW2 and I came across interesting > behavior with regards to the "me" keyword. It appears as if smb broadcasts > (UDP 137,138) do not get matched when denying packets with a rule similar > to the following: > deny udp from 192.168.1.0/24 to me dst-port 137,138 > > I have a rule right after the one above which logs and I'm getting the > following in my syslog: > Jun 11 00:16:04 bling kernel: ipfw: 65530 Reject UDP 192.168.1.40:138 192.168.1.255:138 in via dc0 > > Now I realize that the broadcast address doesn't match the network > card's IP address, which is why the packet isn't getting matched. But > do we really want this behavior? Don't broadcasts affect all machines > on the subnet and therefore qualify for "me" matching? "me" was more designed for allow rules when you have a dynamic IP. It lets you set up rules that are guaranteed to work no matter what your current IP is. Does this do what you want: deny udp from 192.168.1.0/24 to any dst-port 137,138 in via dc0 -- Dan Nelson dnelson_at_allantgroup.comReceived on Tue Jun 10 2003 - 19:32:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:11 UTC