A way to disable reception of broadcast UDP?
Ian Smith
smithi at nimnet.asn.au
Wed Oct 11 07:32:08 PDT 2006
On Wed, 11 Oct 2006, Yar Tikhiy wrote:
> On Wed, Oct 11, 2006 at 11:07:36PM +1000, Ian Smith wrote:
> > On Wed, 11 Oct 2006, Yar Tikhiy wrote:
> >
> > > Is there a well-known way for a UDP application to tell to the
> > > system that it doesn't want to receive broadcast datagrams? E.g.,
> > > it would be very good for TFTP as required by RFC 1123. In general,
> > > accepting broadcast UDP is a security flaw unless the higher proto
> > > was specifically designed to work with broadcast.
> >
> > I know this doesn't address your question regarding the stack, but you
> > could immediately benefit by having a firewall rule dropping all IP
> > traffic on the broadcast address (and the network address) via the
> > outside interface. Working here since '98, counting plenty of them.
> >
> > If you also wanted to limit UDP on the inside, that's just as easy.
>
> Thanks for your comment! However, there are many kinds of broadcast
> or multicast traffic that can be coming to a UDP app from the outside
> or a connected network. Those include datagrams destined to broadcast
> address for any IP alias on this host, should the aliases belong
> to different IP networks, all multicast groups this host has joined,
> etc. All of them can be (and are!) distinguished internally by the
> local stack with M_MCAST and M_BCAST mbuf flags. This information
> can be hard to maintain on the border router for a large network,
> and it's lost when passing network data to the application. That
> was my point.
And for once I'd thought I wasn't too far out of my depth :)
> In addition, I think that filtering broadcasts on the border router
> is a bit redundant today because modern network stacks just drop
> directed broadcasts. Local broadcast or multicast traffic is the
> main problem here.
Thanks for the education. Back to lurking, awaiting a learned response.
Cheers, Ian
More information about the freebsd-net
mailing list