Re: IPF 4.1 does not block broadcasts

> From: Hans Werner Strube

> > From Guido van Rooij Wed Feb 18 11:32:16 2004
>
> > On Wed, Feb 18, 2004 at 11:05:56AM +0100, Hans Werner Strube wrote:
> > > With rules
> > >
> > > block in log on elxl0 all
> > > pass in quick on elxl0 proto tcp from x.y.z.0/24 to x.y.z.h/32 flags S keep state
> > >
> > > on ipf host x.y.z.h, broadcasts from other hosts in subnet x.y.z.0 to x.y.z.255
> > > (the broadcast address of subnet x.y.z.0) are blocked and logged with ipf
> > > 3.4.33 but neither blocked nor logged with 4.1. Bug or feature?
> > > (OS: Solaris 7)
> >
> > >From what I've seen, the logic in both versions of ipfilter is equal.
> >
> > Your block rule does not have quick. Are you sure that your default
> > is not to pass? (look with ipf -V)
>
> This is just a toy configuration with no other essential rules,
> and I compared 3.4.33 and 4.1 on the same machine with the same rules
> (of course, after deinstalling the first and installing the other one).
> Both show "Default: pass all, Logging: available" with ipf -V
> but only the explicitly given rules with ipfstat -i .
> In 4.1, I now added another rule
> block in log quick on elxl0 all
> after the two given ones, but the broadcasts are still passed and not logged.

Sorry, I mixed this up a little. The broadcasts were UDP (e.g., from rup or
rusers), thus the pertinent rules were
block in log on elxl0 all
pass in quick on elxl0 proto udp from x.y.z.0/24 to x.y.z.h/32 keep state
(plus later:)
block in log quick on elxl0 all
But apart of the form of the second rule, this does not change what I
reported.
When I added a rule
pass in quick on elxl0 proto udp from x.y.z.0/24 to x.y.z.255/32 keep state
the broadcasts were passed in 3.4.33, whereas with ipf 4.1, this rule was not
required.