Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 25506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Broadcast blocked by the firewall ?

grotoc

Hi,

 

I try to broadcast some UDP packets on my local networks, but they seem to be blocked by the firewall. Here's an example of the packet that is blocked. I don't understand what to do in order to allow them.

Date=2017-08-08 Time=01:05:11 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=4 source_mac=d2:d7:3d:49:54:21 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=10.0.0.42 dest_ip=10.0.0.255 l4_protocol=UDP source_port=54709 dest_port=1051 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1035820352 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hi grotoc,

     

    typically a broadcast packet is being blocked by any firewall, that's the primary purpose of a router/firewall to stop broadcasts. unless you need that broadcast packet to traverse inter-zone.

     

    You could create firewall policy for that broadcast packet to be not blocked by the firewall as it sends it broadcast to other network segments

     

    Regards,

    Rap

  • 0 in reply to Ashen1

    Yes from what I read here I saw that the firewall blocked the broadcast packet between different zone, but in my example the hosts are in the same zone (LAN). I tried to create a rule in the firewall and place it on top, but it seems the rule is never reach. What I am missing ?

  • 0 in reply to grotoc

    This is the kind of rule that I set on top :

     

    Rule

    Accept "UDP" service going to "LAN" zone, when in "LAN" zone, and coming from any network, then apply log connections

    Source & Schedule
    LAN

    Source Networks and Devices : Any
    During Scheduled Time : All the Time

    Destination & Services
    LAN

    Destination Networks : 10.0.0.255,10.0.0.0/32
    Services : UDP

Reply
  • 0 in reply to grotoc

    This is the kind of rule that I set on top :

     

    Rule

    Accept "UDP" service going to "LAN" zone, when in "LAN" zone, and coming from any network, then apply log connections

    Source & Schedule
    LAN

    Source Networks and Devices : Any
    During Scheduled Time : All the Time

    Destination & Services
    LAN

    Destination Networks : 10.0.0.255,10.0.0.0/32
    Services : UDP

Children
  • 0 in reply to grotoc

    I'm really stuck with this. I would appreciate some help.

     

    Thanks.

  • 0 in reply to grotoc

    Grotoc,

    if you are ensure that this is broadcast traffic, firewall rules will simply not help. Layer 3 blocks broadcast. On Firewall you can allow ARP to pass across an interface to reach another interface because the same network is spread across 2 different NICs.

    See this KB:

    https://community.sophos.com/kb/en-us/123525

    You can allow proxy arp using the KB.

    If you are not trying to allow broadcast across interfaces, this is traffic blocked by XG itself because it listens on every interfaces and for it that traffic is treated as blocked. It is not an issue.

    What Sophos should allows us is to skip loggin for broadcast traffic.

    Regards