allow usage of :broadcast in UI
-
hello
is there any way to use ":broadcast" as a source or destination address.
i'd like to be able to mitigate smurf and smurf-like attacks in a couple of floating rules. basically disabling any inter-lan broadcast traffic would fit the bill perfectly in my case.
nevertheless, i'd like to enable multiple types of traffic including icmp on a per interface / per network basis.
being able to stick a bunch of manually written custom rules would be a decent answer both for this goal and others
any way to achieve that ?
thanks
-
First off, the broadcast address is never used for the source. Also, what would using it as destination accomplish that * wouldn't?
-
by source broadcast, i mean 0.0.0.0 or whatever is the first ip of whatever range is configured. which i'm unsure pf handles natively. maybe that's overkill.
--
in my topology, there is a separate vlan and /24 network for each type of host. i do not bother with how many nodes of each type exist or what the last octet of their ips would be. so most of my rules allow traffic from one LAN to another using "XXX_network" as the target. additionally ping and traceroute are globally allowed between lan hosts.
using :broadcast as a destination in a quick floating rule should allow me to forbid sending packets from one network to the broadcast address of another without adding specific rules all over the place. i'm aware many attacks are already supposedly mitigated by the builtin antispoof but there is still room for storming a neighbor host and possibly a bunch of other scenaris.
each host's individual firewall is responsible for limiting traffic from it's siblings whenever feasible. but the central firewall is supposed to filter inter-lan traffic.
-
0.0.0.0 is used when a device does not yet know it's address. You'll see it with DHCP. Also, broadcasts are not normally passed by routers, so there's no reason to expect broadcasts from one network to appear on another. What broadcasts are you seeing that you think are passing between networks?
BTW, a lot of "broadcasts" are in fact mulitcast and sent only to the desired network.
-
i stand corrected regarding the behavior of pfsense which actually does not forward packets with the broadcast address as a destination. ( axcept afaik in some weird cases with policy routing. pf does ). but it does forward some crafted packets using a different network's broadcast as the source or destination. ( which unfortunately would not be handled by :broadcast since pfsense has no way to determine the address is indeed a broadcast so no-go anyway ). i'm not seeing anything. i just want to prevent such attacks while keeping my ruleset as simple as possible. thanks.
there is indeed quite a range of attacks using broadcast addresses for the source of packets and 0.0.0.0 as well.
regarding multicast, i have those as well. a way to match them as a whole would be very convenient to prevent them from being logged. but that can be performed with a small number of rules.
since what i am trying to achieve here is indeed the default behavior, i'm sorry for using up your precious time. thanks again.
