Quantcast

accidentally forwarding broadcasts, better ways to avoid?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

accidentally forwarding broadcasts, better ways to avoid?

Cameron Simpson
On a small home network I was using this rule:

  pass in quick on $if_lan from ($if_lan:network) to !($if_lan:network) route-to ($if_egress $gw_egress)

on the premise that I'm trusting my interior clients when they make an outbound
connection.

I'm suspecting that this is also NATting DHCP offers (which broadcast to
255.255.255.255) out the egress interface, a disaster.

Is there a better way to write "!($if_lan:network)" to avoid matching
broadcasts?  Or a nice way to preempt this rule to intercept boardcasts, or
perhaps better still "addresses that would deliver to the local machine"?

Presently I've put in an earlier rule matching 255.255.255.255 and also the
local LAN broadcast address, but it feels a little ... hardwired.

Any suggestions?

Cheers,
Cameron Simpson <[hidden email]>
Loading...