IPFW rules

Saint Aardvark the Carpeted aardvark at saintaardvarkthecarpeted.com
Tue Feb 17 20:50:28 PST 2004

Peter Rosa disturbed my sleep to write:
> please what's the difference between this ipfw rules:
> ${fwcmd} add 63000 deny ip from any to in via ${oif}

This denies broadcasts coming in to your machine through the outside
interface.  The rule number is specified here, and it's rather high; if
it's not stopping the traffic you think it should, there may be another
rule earlier that's allowing it through.  

I'm not certain, but I think the address "" means
"anything ending in .255" -- the part after the colon is a netmask, and
for ipfw it means "only the last byte of the address needs to match".
This would catch a broadcast going to your local network if it was a /24.
For example, if your local network was ("/24" is the
same netmask as, then this rule would stop broadcasts on
that network (going to  It would *not* stop broadcasts
if you had a smaller or larger netmask, where the broadcast address
didn't end in .255.

> ${fwcmd} add deny all from any to

This denies broadcasts going in any direction (from or to your machine),
no matter what the interface.  The address specified is different from
the first -- it's, and the whole address needs to match.
Usually you'd see this address when the host is trying to figure out
its IP address -- during DHCP requests, say.

Hope that helps,
Saint Aardvark the Carpeted
aardvark at saintaardvarkthecarpeted.com
Because the plural of Anecdote is Myth.

More information about the freebsd-questions mailing list