ipfw matching traffic to broadcast (255.255.255.255)
Kevin Oberman
rkoberman at gmail.com
Fri Sep 18 05:07:31 UTC 2020
On Tue, Sep 15, 2020 at 1:02 AM Shane Ambler <FreeBSD at shaneware.biz> wrote:
> On 12/9/20 7:07 am, Kevin Oberman wrote:
> > I am seeing traffic from my cell phone to the broadcast address that I
> > would like to block. I added a rule:
> > 3220 deny udp from 192.168.1.18 9050 to any
> > It shows no packet ever match even though I see many logged by my
> catch-all
> > rule: 5999 deny log udp from any to any
> > ipfw: 5999 Deny UDP 192.168.1.18:9050 255.255.255.255:9050 in via wlan0
> >
> > Why is the 3220 rule not matching the packets I see logged by 3220?
>
> While man ipfw says that " 'any' matches any IP address", you should
> note that a broadcast address is a special IP address which means every
> IP in the subnet.
>
> I had trouble getting a minidlna server to respond on my home network,
> the dlna client broadcasts on a udp port to discover servers, to get it
> through my firewall I needed to specifically allow packets to the
> broadcast address rather than to any.
>
> This worked for me -
>
> ipfw add 5880 pass udp from any to 239.255.255.250 dst-port 1900
>
> So try
>
> ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255 9050
>
> or to account for dynamic addresses
>
> ipfw add 3220 deny udp from any to 255.255.255.255 9050
>
> --
> FreeBSD - the place to B...Silencing Data
>
> Shane Ambler
>
Yes, this is exactly how I resolved the issue. Actually, I used "ipfw add
3220 deny udp from 192.168.1.18 9050 to 255.255.255.255". Works fine. Maybe
a small update to the doc would be in order.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
More information about the freebsd-questions
mailing list