Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Sep 2020 22:07:11 -0700
From:      Kevin Oberman <rkoberman@gmail.com>
To:        Shane Ambler <FreeBSD@shaneware.biz>
Cc:        "freebsd-questions@freebsd.org" <questions@freebsd.org>
Subject:   Re: ipfw matching traffic to broadcast (255.255.255.255)
Message-ID:  <CAN6yY1vFCsoQt88fCz5n0dr05%2BTACOgYKgDS5s5Okqo4su-ePA@mail.gmail.com>
In-Reply-To: <f0b8e469-4e18-faf3-9607-077bccdb84d2@ShaneWare.Biz>
References:  <CAN6yY1uaRUJK9GnpM6jhhs2fauj2063VqGh2VUktP3Z2zVumTA@mail.gmail.com> <f0b8e469-4e18-faf3-9607-077bccdb84d2@ShaneWare.Biz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 15, 2020 at 1:02 AM Shane Ambler <FreeBSD@shaneware.biz> wrote:

> On 12/9/20 7:07 am, Kevin Oberman wrote:
> > I am seeing traffic from my cell phone to the broadcast address that I
> > would like to block. I added a rule:
> > 3220 deny udp from 192.168.1.18 9050 to any
> > It shows no packet ever match even though I see many logged by my
> catch-all
> > rule: 5999 deny log udp from any to any
> > ipfw: 5999 Deny UDP 192.168.1.18:9050 255.255.255.255:9050 in via wlan0
> >
> > Why is the 3220 rule not matching the packets I see logged by 3220?
>
> While man ipfw says that " 'any' matches any IP address", you should
> note that a broadcast address is a special IP address which means every
> IP in the subnet.
>
> I had trouble getting a minidlna server to respond on my home network,
> the dlna client broadcasts on a udp port to discover servers, to get it
> through my firewall I needed to specifically allow packets to the
> broadcast address rather than to any.
>
> This worked for me -
>
> ipfw add 5880 pass udp from any to 239.255.255.250 dst-port 1900
>
> So try
>
> ipfw add 3220 deny udp from 192.168.1.18 9050 to 255.255.255.255 9050
>
> or to account for dynamic addresses
>
> ipfw add 3220 deny udp from any to 255.255.255.255 9050
>
> --
> FreeBSD - the place to B...Silencing Data
>
> Shane Ambler
>
Yes, this is exactly how I resolved the issue. Actually, I used "ipfw add
3220 deny udp from 192.168.1.18 9050 to 255.255.255.255". Works fine. Maybe
a small update to the doc would be in order.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1vFCsoQt88fCz5n0dr05%2BTACOgYKgDS5s5Okqo4su-ePA>