Re: Iptables generic broadcast filter

To: Alex Ongena <Alex.Ongena@able.be>
Cc: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: Iptables generic broadcast filter
From: Ard van Breemen <ard@kwaak.net>
Date: Mon, 18 Nov 2002 13:05:52 +0100
Message-id: <20021118120552.GA16593@kwaak.net>
In-reply-to: <1037195210.939.16.camel@aolin>
References: <1037195210.939.16.camel@aolin>

On Wed, Nov 13, 2002 at 02:46:50PM +0100, Alex Ongena wrote:
> I want to drop all broadcasts on INPUT in a generic way
> without knowing in advance on which subnet/netmask my
> appliance is.
> 
> something like:
> 
> # iptables -A INPUT -d *.*.*.255 -j DROP
> # iptables -A INPUT -d *.*.255.255 -j DROP
> # iptables -A INPUT -d *.255.255.255 -j DROP
> 
> where * is a wildcard matching any ip.
> 
> Is this possible with iptables 1.2.7a ?
Well, you first have to figure out what broadcast is.
*.255 is definetely *NOT* a broadcast address.
There is no way to see if an ip address is meant for broadcast,
that is up to the local net administrator. (Even if you know your
netmask, it still does not tell you the broadcast address).

The only way to test for broadcasts, is to look if the
destination mac-address is ff:ff:ff:ff:ff:ff.
There are a lot of people that get a .255 address on dialup
connections.

-- 
mail          up    2+01:28,     2 users,  load 0.00, 0.02, 0.02
mistar1       up    2+01:25,     6 users,  load 0.00, 0.00, 0.00
Let your government know you value your freedom: sign the petition:
http://petition.eurolinux.org

Reply to:

References:
- Iptables generic broadcast filter
  - From: Alex Ongena <Alex.Ongena@able.be>

Prev by Date: NetFilter connection tracking
Next by Date: Re: policy DROP and 1 rule
Previous by thread: Re: Iptables generic broadcast filter
Next by thread: Firewall bases on iptables for a laptop or PC at work/home
Index(es):
- Date
- Thread