broadcasts from 0.0.0.0

I've had no success not loggin broadcasts from 0.0.0.0 port 68 to 255.255.255.255 port 67.

Am I missing something I have a simple setup. Basically I let all traffic from my local go out since I'm a single user behind ASL.

Can't I just add as my first rule
From: 0.0.0.0 to any service to any server drop?

Having my log file go to over 7megs in 50minutes with all the entries being from 0.0.0.0 is way to much for my little harddrive to handle.

Parents

0 Gert Hansen over 23 years ago

Hi gsarsons,

this behavior comes due to the fact that the linux kernel has several chains where it filters packets.

The normal rules Any ... Any or so go to the forward chain.

but Broadcast packets were matched in the input chain, because they are addressd to the Firewall directly.

To get rid of the messages define a network
'glocal broadcast' '255.255.255.255' '255.255.255.255'
and add a packetfilter rule

'Any' 'Any' 'global broadcast' 'drop' and they are gone.
Because filter rules having an interface ip or an broadcast address are send to the input chain.

I hop that helps

kind regards
gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Gert Hansen over 23 years ago

Hi gsarsons,

this behavior comes due to the fact that the linux kernel has several chains where it filters packets.

The normal rules Any ... Any or so go to the forward chain.

but Broadcast packets were matched in the input chain, because they are addressd to the Firewall directly.

To get rid of the messages define a network
'glocal broadcast' '255.255.255.255' '255.255.255.255'
and add a packetfilter rule

'Any' 'Any' 'global broadcast' 'drop' and they are gone.
Because filter rules having an interface ip or an broadcast address are send to the input chain.

I hop that helps

kind regards
gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 gsarsons over 23 years ago in reply to Gert Hansen

tks that worked perfectly!!! Now my log file is not going crazy and my CPU utilization is way way down.

tks again

Greg
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 gsarsons over 23 years ago in reply to gsarsons

Hmmmm... interesting last night after I was successfull at kill all the broadcasts I did a backup and saved it. This morning all was well and decided to enable SOCKS so I could play with it. I saved that backup as well. This afternoon I rebooted the ASL box and when it came back up it was no longer not logging the broadcast messages. Checked the rules etc and all seemed fine so I imported the backup I did last night. No luck.

So the broadcasts are being logged and the CPU usage is back up.

Greg
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 gsarsons over 23 years ago in reply to gsarsons

Something else .... Since I had no luck enabling or disabling the rule that blocked the broadcast (or moving it) I decided to disable it and add the rule again.

So I added the exact same rule to the packet filter and it worked. Not sure why this would not work after the import of the rule or a reboot. Me reentering a rule which is already on the list is strange.

Greg
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gert Hansen over 23 years ago in reply to gsarsons

Hi gsarsons,

sounds strange/
thanks for the information,
i will check it and keep you informed.

kind regards

gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel