ipfw matching traffic to broadcast (

Shane Ambler FreeBSD at ShaneWare.Biz
Tue Sep 15 08:02:59 UTC 2020

On 12/9/20 7:07 am, Kevin Oberman wrote:
> I am seeing traffic from my cell phone to the broadcast address that I
> would like to block. I added a rule:
> 3220 deny udp from 9050 to any
> It shows no packet ever match even though I see many logged by my catch-all
> rule: 5999 deny log udp from any to any
> ipfw: 5999 Deny UDP in via wlan0
> Why is the 3220 rule not matching the packets I see logged by 3220?

While man ipfw says that " 'any' matches any IP address", you should
note that a broadcast address is a special IP address which means every
IP in the subnet.

I had trouble getting a minidlna server to respond on my home network,
the dlna client broadcasts on a udp port to discover servers, to get it
through my firewall I needed to specifically allow packets to the
broadcast address rather than to any.

This worked for me -

ipfw add 5880 pass udp from any to dst-port 1900

So try

ipfw add 3220 deny udp from 9050 to 9050

or to account for dynamic addresses

ipfw add 3220 deny udp from any to 9050

FreeBSD - the place to B...Silencing Data

Shane Ambler

More information about the freebsd-questions mailing list