firewalling broadcast and multicast packets
Gerrit Kühn
gerrit at pmp.uni-hannover.de
Wed Jun 23 07:59:52 UTC 2010
Hi all,
I just tried to block multicast and broadcast packets on a transparent
bridge with pf by filtering on one of the physical interfaces like this:
table <no_route> persist {10.117.255.255/32}
netbios = "netbios-ns, netbios-dgm, netbios-ssn, mdns, ipp"
block quick on $ext_if proto ipv6
block quick on $ext_if proto udp from any port { $netbios }
block quick on $ext_if proto udp to any port { $netbios }
block quick on $ext_if inet from any to <no_route>
However, the packets are still passing the bridge as can be seen with
tcpdump on the internal interface:
09:36:39.167995 IP newprintserver.fqdn-omitted.ipp >
10.117.255.255.ipp: UDP, length 94
Kernel settings are like this:
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
I am using a recent 8.1-prerelease. Before I start putting more time in
solving this problem I just wanted to ask here if this is supposed to work
at all, or if I am doing something terribly wrong from the beginning on.
cu
Gerrit
More information about the freebsd-net
mailing list