From owner-freebsd-security Tue Feb 29 0:17:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 986F637BA91 for ; Tue, 29 Feb 2000 00:17:44 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA81399; Tue, 29 Feb 2000 00:14:45 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200002290814.AAA81399@gndrsh.dnsmgr.net> Subject: Re: ipfw log accounting In-Reply-To: <200002290343.TAA07654@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Feb 28, 2000 07:42:42 pm" To: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group) Date: Tue, 29 Feb 2000 00:14:44 -0800 (PST) Cc: cjclark@home.com, lev@imc.macro.ru (Lev Serebryakov), freebsd-security@FreeBSD.ORG (All) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, > "Crist J. Cl > ark" writes: > > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > > [snip] > > > And one more question: > > > How could I write rule, which skip all broadcast traffic? My > > > computer is on big provider's net, and here is more than one > > > broadcast address (many subnets on one wire)... > > > > Never tried this and haven't glanced at the source to see if it has a > > chance of working, but _theoretically_ is there a reason that, > > > > deny ip from 0.0.0.255:0.0.0.255 to any > > > > A "reversed" netmask won't work? > > Been there done that. This works using either IPFW or IP Filter, > however you'll want to code it as the following, as the destination is > the broadcast address: Actually you need to be a bit selective, your host is going to have a real hard time doing arp's if you block all broadcast packets. Make sure you have a directly connected network specific ``allow'' of broadcast destinations. Also you really do want to block source broadcast address packets too, they are often abuse by attacks. Ping with src address = bcast and watch all the icmp fly when the echo reply goes back to the bcast address (need broken host that will do this on the network) :-(. > > deny ip from any to 0.0.0.255:0.0.0.255 > > Or if you use IP Filter, > > block in on xl0 from any to 0.0.0.255:0.0.0.255 And do add: deny ip from 0.0.0.255:0.0.0.255 to any -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message