[4991] in bugtraq
Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!
daemon@ATHENA.MIT.EDU (Glen Turner)
Tue Jul 22 23:39:45 1997
Date: Wed, 23 Jul 1997 12:10:19 +0930
Reply-To: Glen Turner <glen.turner@ITD.ADELAIDE.EDU.AU>
From: Glen Turner <glen.turner@ITD.ADELAIDE.EDU.AU>
X-To: Michael Douglass <mikedoug@TEXAS.NET>
To: BUGTRAQ@NETSPACE.ORG
Michael Douglass wrote:
> From: Edward Henigin <ed@texas.net>
> To: Michael Douglass <mikedoug@texas.net>
> Subject: broadcast filtering HOWTO
> ...
> I've just been made aware of a command for ciscos,
> 'ip directed-broadcast'. Specifically, the 'no' form of the command
> will no convert broadcast packets (all ones, I think) into broadcast
> ethernet packets, on the final, directly connected interface. From
> cisco's online documentation:
>
> To enable the translation of directed broadcast to physical
> broadcasts, use the ip directed-broadcast interface
> configuration command. To disable this function, use the no
> form of this command.
>
> What I take this to mean is that 'no ip directed-broadcast'
> will prevent the mapping of broadcast packets (I don't know
> what your cisco will guess 'broadcast packets' are) to broadcast
> ethernet framing. I think this will help... although I don't know all
> the ramifications, because I haven't used it, and don't know anyone
> who has.
Which is right as far as it goes. The command only prevents the
mapping for protocols maintained for broadcast forwarding by the
`ip forward-protocol' command (UDP protocols TFTP, DNS, time, NetBIOS,
BOOTP, TACACS by default). Broadcast forwarding is useful for allowing
IP subnet without servers to see server advertisments. For example,
broadcast forwarding allows a single NetBIOS server to serve a
multiple-subnet network.
The real purpose of the `ip directed-broadcast' command is to
allow the filtering of server visibility and reachability
(for example, allowing departmentally-maintained BOOTP servers).
It does not prevent translation of a generic 'ping 1.2.3.255' to
an ethernet broadcast.
> And a final note: there are very few applications which depend
> on the routing of broadcast packets. You may know of one such
> application; if it's a popular one that you think lots of people are
> using, speak up. So you should feel safe in blocking broadcast
> traffic in your network.
BOOTP and DHCP are obvious applications that reply on
directed broadcast forwarding. In a large modern IP
network, you really need one of these two protocols.
Cheers,
glen
--
glen.turner@itd.adelaide.edu.au Network Support Specialist
Tel: (08) 8303 3936 Information Technology Division
Fax: (08) 8303 4400 University of Adelaide SA 5005
...- -.- ..... --. -.. - http://www.adelaide.edu.au/~gturner
-- A university is a loosely-coupled organisation --
-- held together by a common interest in parking. --
