A way to disable reception of broadcast UDP?

[Ian Smith]

On Wed, 11 Oct 2006, Yar Tikhiy wrote:
 > On Wed, Oct 11, 2006 at 11:07:36PM +1000, Ian Smith wrote:
 > > On Wed, 11 Oct 2006, Yar Tikhiy wrote:
 > > 
 > >  > Is there a well-known way for a UDP application to tell to the
 > >  > system that it doesn't want to receive broadcast datagrams?  E.g.,
 > >  > it would be very good for TFTP as required by RFC 1123.  In general,
 > >  > accepting broadcast UDP is a security flaw unless the higher proto
 > >  > was specifically designed to work with broadcast.
 > > 
 > > I know this doesn't address your question regarding the stack, but you
 > > could immediately benefit by having a firewall rule dropping all IP
 > > traffic on the broadcast address (and the network address) via the
 > > outside interface.  Working here since '98, counting plenty of them.
 > > 
 > > If you also wanted to limit UDP on the inside, that's just as easy.
 > 
 > Thanks for your comment!  However, there are many kinds of broadcast
 > or multicast traffic that can be coming to a UDP app from the outside
 > or a connected network.  Those include datagrams destined to broadcast
 > address for any IP alias on this host, should the aliases belong
 > to different IP networks, all multicast groups this host has joined,
 > etc.  All of them can be (and are!) distinguished internally by the
 > local stack with M_MCAST and M_BCAST mbuf flags.  This information
 > can be hard to maintain on the border router for a large network,
 > and it's lost when passing network data to the application.  That
 > was my point.

And for once I'd thought I wasn't too far out of my depth :)

 > In addition, I think that filtering broadcasts on the border router
 > is a bit redundant today because modern network stacks just drop
 > directed broadcasts.  Local broadcast or multicast traffic is the
 > main problem here.

Thanks for the education. Back to lurking, awaiting a learned response. 

Cheers, Ian