From owner-freebsd-security Tue Feb 29 5:50:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 1610C37BB5F for ; Tue, 29 Feb 2000 05:50:17 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id IAA33663; Tue, 29 Feb 2000 08:51:45 -0500 (EST) (envelope-from cjc) Date: Tue, 29 Feb 2000 08:51:45 -0500 From: "Crist J. Clark" To: "Rodney W. Grimes" Cc: Cy Schubert - ITSD Open Systems Group , cjclark@home.com, Lev Serebryakov , All Subject: Re: ipfw log accounting Message-ID: <20000229085144.A33597@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <200002290343.TAA07654@cwsys.cwsent.com> <200002290814.AAA81399@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200002290814.AAA81399@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Feb 29, 2000 at 12:14:44AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 29, 2000 at 12:14:44AM -0800, Rodney W. Grimes wrote: > > In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, > > "Crist J. Cl > > ark" writes: > > > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > > > [snip] > > > > And one more question: > > > > How could I write rule, which skip all broadcast traffic? My > > > > computer is on big provider's net, and here is more than one > > > > broadcast address (many subnets on one wire)... > > > > > > Never tried this and haven't glanced at the source to see if it has a > > > chance of working, but _theoretically_ is there a reason that, > > > > > > deny ip from 0.0.0.255:0.0.0.255 to any > > > > > > A "reversed" netmask won't work? > > > > Been there done that. This works using either IPFW or IP Filter, > > however you'll want to code it as the following, as the destination is > > the broadcast address: > > Actually you need to be a bit selective, your host is going to have > a real hard time doing arp's if you block all broadcast packets. Make > sure you have a directly connected network specific ``allow'' of broadcast > destinations. The above only would block broadcast _IP_ packets (and as was pointed out in the reply with the lost attribution, you would want to block the broadcast _destination_ not source). ARP is not an IP protocol so they are not effected by the rule. In fact IIRC, since ARP packets do not even have source or desitnation IPs (they use the MAC addresses and the MAC broadcast, ff:ff:ff:ff:ff:ff), the only ipfw rule that can catch them is ' all from any to any'. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message