accidentally forwarding broadcasts, better ways to avoid?
On a small home network I was using this rule:
pass in quick on $if_lan from ($if_lan:network) to !($if_lan:network) route-to ($if_egress $gw_egress)
on the premise that I'm trusting my interior clients when they make an outbound
I'm suspecting that this is also NATting DHCP offers (which broadcast to
255.255.255.255) out the egress interface, a disaster.
Is there a better way to write "!($if_lan:network)" to avoid matching
broadcasts? Or a nice way to preempt this rule to intercept boardcasts, or
perhaps better still "addresses that would deliver to the local machine"?
Presently I've put in an earlier rule matching 255.255.255.255 and also the
local LAN broadcast address, but it feels a little ... hardwired.