From owner-freebsd-net@FreeBSD.ORG Wed Oct 11 14:32:08 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D4BC16A40F for ; Wed, 11 Oct 2006 14:32:08 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4D7143D46 for ; Wed, 11 Oct 2006 14:32:06 +0000 (GMT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with SMTP id AAA13224; Thu, 12 Oct 2006 00:31:50 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 12 Oct 2006 00:31:49 +1000 (EST) From: Ian Smith To: Yar Tikhiy In-Reply-To: <20061011133829.GD47124@comp.chem.msu.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: A way to disable reception of broadcast UDP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 14:32:08 -0000 On Wed, 11 Oct 2006, Yar Tikhiy wrote: > On Wed, Oct 11, 2006 at 11:07:36PM +1000, Ian Smith wrote: > > On Wed, 11 Oct 2006, Yar Tikhiy wrote: > > > > > Is there a well-known way for a UDP application to tell to the > > > system that it doesn't want to receive broadcast datagrams? E.g., > > > it would be very good for TFTP as required by RFC 1123. In general, > > > accepting broadcast UDP is a security flaw unless the higher proto > > > was specifically designed to work with broadcast. > > > > I know this doesn't address your question regarding the stack, but you > > could immediately benefit by having a firewall rule dropping all IP > > traffic on the broadcast address (and the network address) via the > > outside interface. Working here since '98, counting plenty of them. > > > > If you also wanted to limit UDP on the inside, that's just as easy. > > Thanks for your comment! However, there are many kinds of broadcast > or multicast traffic that can be coming to a UDP app from the outside > or a connected network. Those include datagrams destined to broadcast > address for any IP alias on this host, should the aliases belong > to different IP networks, all multicast groups this host has joined, > etc. All of them can be (and are!) distinguished internally by the > local stack with M_MCAST and M_BCAST mbuf flags. This information > can be hard to maintain on the border router for a large network, > and it's lost when passing network data to the application. That > was my point. And for once I'd thought I wasn't too far out of my depth :) > In addition, I think that filtering broadcasts on the border router > is a bit redundant today because modern network stacks just drop > directed broadcasts. Local broadcast or multicast traffic is the > main problem here. Thanks for the education. Back to lurking, awaiting a learned response. Cheers, Ian