From owner-freebsd-questions@freebsd.org Fri Sep 18 05:07:31 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4313E3D82A2 for ; Fri, 18 Sep 2020 05:07:31 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4Bt1zl0BzTz46FZ for ; Fri, 18 Sep 2020 05:07:31 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mailman.nyi.freebsd.org (Postfix) id 050333D827A; Fri, 18 Sep 2020 05:07:31 +0000 (UTC) Delivered-To: questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 03A253D8278 for ; Fri, 18 Sep 2020 05:07:31 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-oo1-xc41.google.com (mail-oo1-xc41.google.com [IPv6:2607:f8b0:4864:20::c41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bt1zj5KGZz46MC for ; Fri, 18 Sep 2020 05:07:29 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-oo1-xc41.google.com with SMTP id r4so1144525ooq.7 for ; Thu, 17 Sep 2020 22:07:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WtRx1tod+S+xmVemK62YO84ZtlEGIPqgIBc0BHJktaU=; b=cDdD0L1XNfoJu2d6HlGiQsoJ9aaF+xbkgM14/Zc30Mlv5gBhz5s/X9JBd3aFHl87z4 kBkAw5BP2jQccSaAQhdpBhsvM/veUtsai0dzAazFAxWQjG+U+qRbjqxnZQ6jzT44xB+m 3L15fkhTKLAbC0YOHisXF1sc2HFDa80nj2u+EatM3STF4P8LSIwK1Tmaz1qqyK7ru9zr Wo8A1wYs2mnuzrz67SdJKxWT+xyOtlDou4ao8+OR3PNQjPK/sCJ6ylFP8OSAK/jY6/4g 9MS2TsK6Se3toHH1zGVIL82uYeG1+6/bJORRJcXTMouoIqK3Pzjm+LPJONtMM9IkcBxX 9Hyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WtRx1tod+S+xmVemK62YO84ZtlEGIPqgIBc0BHJktaU=; b=g22YOrYeJo6550zA+RBnQCEX64Tl/PNkgJMHpswsX4lGpFUFxEYm1tZKx1Q5/jJwhU I87T2AJpFsu2ZDJVX/652O0TXW2Bd3ezXykRq3Lt5yz4cGAyJLariBUd42LALxqvnpDV wAHoGIkAvYQhu4K+EqoIEt7rn4ljJfKm/kNC/bdjPODOF9gDCeO0pe9oQYSekOiXopNx RziqFvL8NbN8W16s89m8qdH0CobQpNlHMO9ldDOqDv1jbuPYzBwDi1H8HEPTLO498/yb LYKRMLmKw11DsWnHRyrfPs0pB9870u8H9EKsvwtBu9nfGJIxmsf8g33gS5HbWIfaL3Ks 5LEg== X-Gm-Message-State: AOAM531rTFE5M8/h3fwSMaZGUzi5H8oMz+lkPHJcG+fzacspQBHSgPYv e616WEgXCHc5GYtbwPcyNPJJbiADxU/GqEzXs4v8DY7oA6V7qQ== X-Google-Smtp-Source: ABdhPJyLPz7ekNLZ7nM6lAPo84y1co3w5O5EZ9zx7V6b2Dk7Fnm+bCOHlJXVgN4NV94WO2CMax3ys3BImdUh0KkmenQ= X-Received: by 2002:a4a:e75a:: with SMTP id n26mr22567122oov.29.1600405647658; Thu, 17 Sep 2020 22:07:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kevin Oberman Date: Thu, 17 Sep 2020 22:07:11 -0700 Message-ID: Subject: Re: ipfw matching traffic to broadcast (255.255.255.255) To: Shane Ambler Cc: "freebsd-questions@freebsd.org" X-Rspamd-Queue-Id: 4Bt1zj5KGZz46MC X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cDdD0L1X; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of kob6558@gmail.com designates 2607:f8b0:4864:20::c41 as permitted sender) smtp.mailfrom=kob6558@gmail.com X-Spamd-Result: default: False [-2.60 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.87)[-0.871]; FORGED_SENDER(0.30)[rkoberman@gmail.com,kob6558@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[rkoberman@gmail.com,kob6558@gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.031]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::c41:from]; HTTP_TO_IP(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[questions] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 05:07:31 -0000 On Tue, Sep 15, 2020 at 1:02 AM Shane Ambler wrote: > On 12/9/20 7:07 am, Kevin Oberman wrote: > > I am seeing traffic from my cell phone to the broadcast address that I > > would like to block. I added a rule: > > 3220 deny udp from 192.168.1.18 9050 to any > > It shows no packet ever match even though I see many logged by my > catch-all > > rule: 5999 deny log udp from any to any > > ipfw: 5999 Deny UDP 192.168.1.18:9050 255.255.255.255:9050 in via wlan0 > > > > Why is the 3220 rule not matching the packets I see logged by 3220? > > While man ipfw says that " 'any' matches any IP address", you should > note that a broadcast address is a special IP address which means every > IP in the subnet. > > I had trouble getting a minidlna server to respond on my home network, > the dlna client broadcasts on a udp port to discover servers, to get it > through my firewall I needed to specifically allow packets to the > broadcast address rather than to any. > > This worked for me - > > ipfw add 5880 pass udp from any to 239.255.255.250 dst-port 1900 > > So try > > ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255 9050 > > or to account for dynamic addresses > > ipfw add 3220 deny udp from any to 255.255.255.255 9050 > > -- > FreeBSD - the place to B...Silencing Data > > Shane Ambler > Yes, this is exactly how I resolved the issue. Actually, I used "ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255". Works fine. Maybe a small update to the doc would be in order. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683