Date: Tue, 15 Sep 2020 17:31:56 +0930 From: Shane Ambler <FreeBSD@ShaneWare.Biz> To: Kevin Oberman <rkoberman@gmail.com>, "freebsd-questions@freebsd.org" <questions@freebsd.org> Subject: Re: ipfw matching traffic to broadcast (255.255.255.255) Message-ID: <f0b8e469-4e18-faf3-9607-077bccdb84d2@ShaneWare.Biz> In-Reply-To: <CAN6yY1uaRUJK9GnpM6jhhs2fauj2063VqGh2VUktP3Z2zVumTA@mail.gmail.com> References: <CAN6yY1uaRUJK9GnpM6jhhs2fauj2063VqGh2VUktP3Z2zVumTA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/9/20 7:07 am, Kevin Oberman wrote: > I am seeing traffic from my cell phone to the broadcast address that I > would like to block. I added a rule: > 3220 deny udp from 192.168.1.18 9050 to any > It shows no packet ever match even though I see many logged by my catch-all > rule: 5999 deny log udp from any to any > ipfw: 5999 Deny UDP 192.168.1.18:9050 255.255.255.255:9050 in via wlan0 > > Why is the 3220 rule not matching the packets I see logged by 3220? While man ipfw says that " 'any' matches any IP address", you should note that a broadcast address is a special IP address which means every IP in the subnet. I had trouble getting a minidlna server to respond on my home network, the dlna client broadcasts on a udp port to discover servers, to get it through my firewall I needed to specifically allow packets to the broadcast address rather than to any. This worked for me - ipfw add 5880 pass udp from any to 239.255.255.250 dst-port 1900 So try ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255 9050 or to account for dynamic addresses ipfw add 3220 deny udp from any to 255.255.255.255 9050 -- FreeBSD - the place to B...Silencing Data Shane Ambler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f0b8e469-4e18-faf3-9607-077bccdb84d2>