Bugtraq mailing list archives
Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!
From: glen.turner () ITD ADELAIDE EDU AU (Glen Turner)
Date: Wed, 23 Jul 1997 12:10:19 +0930
Michael Douglass wrote:
From: Edward Henigin <ed () texas net> To: Michael Douglass <mikedoug () texas net> Subject: broadcast filtering HOWTO ... I've just been made aware of a command for ciscos, 'ip directed-broadcast'. Specifically, the 'no' form of the command will no convert broadcast packets (all ones, I think) into broadcast ethernet packets, on the final, directly connected interface. From cisco's online documentation: To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command. What I take this to mean is that 'no ip directed-broadcast' will prevent the mapping of broadcast packets (I don't know what your cisco will guess 'broadcast packets' are) to broadcast ethernet framing. I think this will help... although I don't know all the ramifications, because I haven't used it, and don't know anyone who has.
Which is right as far as it goes. The command only prevents the mapping for protocols maintained for broadcast forwarding by the `ip forward-protocol' command (UDP protocols TFTP, DNS, time, NetBIOS, BOOTP, TACACS by default). Broadcast forwarding is useful for allowing IP subnet without servers to see server advertisments. For example, broadcast forwarding allows a single NetBIOS server to serve a multiple-subnet network. The real purpose of the `ip directed-broadcast' command is to allow the filtering of server visibility and reachability (for example, allowing departmentally-maintained BOOTP servers). It does not prevent translation of a generic 'ping 1.2.3.255' to an ethernet broadcast.
And a final note: there are very few applications which depend on the routing of broadcast packets. You may know of one such application; if it's a popular one that you think lots of people are using, speak up. So you should feel safe in blocking broadcast traffic in your network.
BOOTP and DHCP are obvious applications that reply on directed broadcast forwarding. In a large modern IP network, you really need one of these two protocols. Cheers, glen -- glen.turner () itd adelaide edu au Network Support Specialist Tel: (08) 8303 3936 Information Technology Division Fax: (08) 8303 4400 University of Adelaide SA 5005 ...- -.- ..... --. -.. - http://www.adelaide.edu.au/~gturner -- A university is a loosely-coupled organisation -- -- held together by a common interest in parking. --
Current thread:
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Glen Turner (Jul 22)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Shields (Jul 24)