• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

allow usage of :broadcast in UI

Scheduled Pinned Locked Moved Firewalling
5 Posts 2 Posters 417 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    skullnobrains
    last edited by Jun 12, 2019, 8:26 AM

    hello

    is there any way to use ":broadcast" as a source or destination address.

    i'd like to be able to mitigate smurf and smurf-like attacks in a couple of floating rules. basically disabling any inter-lan broadcast traffic would fit the bill perfectly in my case.

    nevertheless, i'd like to enable multiple types of traffic including icmp on a per interface / per network basis.

    being able to stick a bunch of manually written custom rules would be a decent answer both for this goal and others

    any way to achieve that ?

    thanks

    J 1 Reply Last reply Jun 12, 2019, 10:42 AM Reply Quote 0
    • J
      JKnott @skullnobrains
      last edited by Jun 12, 2019, 10:42 AM

      @skullnobrains

      First off, the broadcast address is never used for the source. Also, what would using it as destination accomplish that * wouldn't?

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • S
        skullnobrains
        last edited by Jun 12, 2019, 11:00 AM

        by source broadcast, i mean 0.0.0.0 or whatever is the first ip of whatever range is configured. which i'm unsure pf handles natively. maybe that's overkill.

        --

        in my topology, there is a separate vlan and /24 network for each type of host. i do not bother with how many nodes of each type exist or what the last octet of their ips would be. so most of my rules allow traffic from one LAN to another using "XXX_network" as the target. additionally ping and traceroute are globally allowed between lan hosts.

        using :broadcast as a destination in a quick floating rule should allow me to forbid sending packets from one network to the broadcast address of another without adding specific rules all over the place. i'm aware many attacks are already supposedly mitigated by the builtin antispoof but there is still room for storming a neighbor host and possibly a bunch of other scenaris.

        each host's individual firewall is responsible for limiting traffic from it's siblings whenever feasible. but the central firewall is supposed to filter inter-lan traffic.

        1 Reply Last reply Reply Quote 0
        • J
          JKnott
          last edited by JKnott Jun 12, 2019, 1:03 PM Jun 12, 2019, 1:01 PM

          0.0.0.0 is used when a device does not yet know it's address. You'll see it with DHCP. Also, broadcasts are not normally passed by routers, so there's no reason to expect broadcasts from one network to appear on another. What broadcasts are you seeing that you think are passing between networks?

          BTW, a lot of "broadcasts" are in fact mulitcast and sent only to the desired network.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • S
            skullnobrains
            last edited by Jun 12, 2019, 3:32 PM

            i stand corrected regarding the behavior of pfsense which actually does not forward packets with the broadcast address as a destination. ( axcept afaik in some weird cases with policy routing. pf does ). but it does forward some crafted packets using a different network's broadcast as the source or destination. ( which unfortunately would not be handled by :broadcast since pfsense has no way to determine the address is indeed a broadcast so no-go anyway ). i'm not seeing anything. i just want to prevent such attacks while keeping my ruleset as simple as possible. thanks.

            there is indeed quite a range of attacks using broadcast addresses for the source of packets and 0.0.0.0 as well.

            regarding multicast, i have those as well. a way to match them as a whole would be very convenient to prevent them from being logged. but that can be performed with a small number of rules.

            since what i am trying to achieve here is indeed the default behavior, i'm sorry for using up your precious time. thanks again.

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received