From owner-freebsd-net@FreeBSD.ORG Wed Oct 11 13:39:54 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7FF516A4F4 for ; Wed, 11 Oct 2006 13:39:54 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BFDC43E10 for ; Wed, 11 Oct 2006 13:38:46 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k9BDcUpm049465; Wed, 11 Oct 2006 17:38:30 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k9BDcUVc049464; Wed, 11 Oct 2006 17:38:30 +0400 (MSD) (envelope-from yar) Date: Wed, 11 Oct 2006 17:38:29 +0400 From: Yar Tikhiy To: Ian Smith Message-ID: <20061011133829.GD47124@comp.chem.msu.su> References: <20061011123403.GC47124@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: A way to disable reception of broadcast UDP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 13:39:55 -0000 On Wed, Oct 11, 2006 at 11:07:36PM +1000, Ian Smith wrote: > On Wed, 11 Oct 2006, Yar Tikhiy wrote: > > > Is there a well-known way for a UDP application to tell to the > > system that it doesn't want to receive broadcast datagrams? E.g., > > it would be very good for TFTP as required by RFC 1123. In general, > > accepting broadcast UDP is a security flaw unless the higher proto > > was specifically designed to work with broadcast. > > I know this doesn't address your question regarding the stack, but you > could immediately benefit by having a firewall rule dropping all IP > traffic on the broadcast address (and the network address) via the > outside interface. Working here since '98, counting plenty of them. > > If you also wanted to limit UDP on the inside, that's just as easy. Thanks for your comment! However, there are many kinds of broadcast or multicast traffic that can be coming to a UDP app from the outside or a connected network. Those include datagrams destined to broadcast address for any IP alias on this host, should the aliases belong to different IP networks, all multicast groups this host has joined, etc. All of them can be (and are!) distinguished internally by the local stack with M_MCAST and M_BCAST mbuf flags. This information can be hard to maintain on the border router for a large network, and it's lost when passing network data to the application. That was my point. In addition, I think that filtering broadcasts on the border router is a bit redundant today because modern network stacks just drop directed broadcasts. Local broadcast or multicast traffic is the main problem here. -- Yar