[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables generic broadcast filter

On Wed, Nov 13, 2002 at 02:46:50PM +0100, Alex Ongena wrote:
> I want to drop all broadcasts on INPUT in a generic way
> without knowing in advance on which subnet/netmask my
> appliance is.
> something like:
> # iptables -A INPUT -d *.*.*.255 -j DROP
> # iptables -A INPUT -d *.*.255.255 -j DROP
> # iptables -A INPUT -d *.255.255.255 -j DROP
> where * is a wildcard matching any ip.
> Is this possible with iptables 1.2.7a ?
Well, you first have to figure out what broadcast is.
*.255 is definetely *NOT* a broadcast address.
There is no way to see if an ip address is meant for broadcast,
that is up to the local net administrator. (Even if you know your
netmask, it still does not tell you the broadcast address).

The only way to test for broadcasts, is to look if the
destination mac-address is ff:ff:ff:ff:ff:ff.
There are a lot of people that get a .255 address on dialup

mail          up    2+01:28,     2 users,  load 0.00, 0.02, 0.02
mistar1       up    2+01:25,     6 users,  load 0.00, 0.00, 0.00
Let your government know you value your freedom: sign the petition:

Reply to: