Date: Thu, 17 Sep 2020 22:07:11 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Shane Ambler <FreeBSD@shaneware.biz> Cc: "freebsd-questions@freebsd.org" <questions@freebsd.org> Subject: Re: ipfw matching traffic to broadcast (255.255.255.255) Message-ID: <CAN6yY1vFCsoQt88fCz5n0dr05%2BTACOgYKgDS5s5Okqo4su-ePA@mail.gmail.com> In-Reply-To: <f0b8e469-4e18-faf3-9607-077bccdb84d2@ShaneWare.Biz> References: <CAN6yY1uaRUJK9GnpM6jhhs2fauj2063VqGh2VUktP3Z2zVumTA@mail.gmail.com> <f0b8e469-4e18-faf3-9607-077bccdb84d2@ShaneWare.Biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 15, 2020 at 1:02 AM Shane Ambler <FreeBSD@shaneware.biz> wrote: > On 12/9/20 7:07 am, Kevin Oberman wrote: > > I am seeing traffic from my cell phone to the broadcast address that I > > would like to block. I added a rule: > > 3220 deny udp from 192.168.1.18 9050 to any > > It shows no packet ever match even though I see many logged by my > catch-all > > rule: 5999 deny log udp from any to any > > ipfw: 5999 Deny UDP 192.168.1.18:9050 255.255.255.255:9050 in via wlan0 > > > > Why is the 3220 rule not matching the packets I see logged by 3220? > > While man ipfw says that " 'any' matches any IP address", you should > note that a broadcast address is a special IP address which means every > IP in the subnet. > > I had trouble getting a minidlna server to respond on my home network, > the dlna client broadcasts on a udp port to discover servers, to get it > through my firewall I needed to specifically allow packets to the > broadcast address rather than to any. > > This worked for me - > > ipfw add 5880 pass udp from any to 239.255.255.250 dst-port 1900 > > So try > > ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255 9050 > > or to account for dynamic addresses > > ipfw add 3220 deny udp from any to 255.255.255.255 9050 > > -- > FreeBSD - the place to B...Silencing Data > > Shane Ambler > Yes, this is exactly how I resolved the issue. Actually, I used "ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255". Works fine. Maybe a small update to the doc would be in order. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1vFCsoQt88fCz5n0dr05%2BTACOgYKgDS5s5Okqo4su-ePA>