mailing list archives
ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!
From: mikedoug () TEXAS NET (Michael Douglass)
Date: Mon, 21 Jul 1997 15:00:53 -0500
Since so many of you have emailed me privately asking for this information,
I sent the request off to my Cisco guy (ed) and let him write up a howto
on the whole issue of filtering broadcast packets.
-----Forwarded message from Edward Henigin <ed () texas net>-----
From: Edward Henigin <ed () texas net>
To: Michael Douglass <mikedoug () texas net>
Subject: broadcast filtering HOWTO
We've had some requests for examples of how to filter broadcast
traffic. As with a lot of things in the computer world, "there is more
than one way to do it."
If your network is composed *only* of /24 allocations (ie you're
not supernetting or subnetting anywhere on class C's, or all your class A/B
networks are subnetted as /24's), then you can do all the filtering with
one filter on your *inbound* Internet interfaces.
(note that you should filter both the all ones and the all zeros
addresses, as they are both recognized by some IP stacks.)
! filter broadcast packets from the outside world into our network
access-list 109 deny ip any 0.0.0.255 255.255.255.0
access-list 109 deny ip any 0.0.0.0 255.255.255.0
access-list 109 permit ip any any
in se 0
ip access-group 109 in
Another way to do it is to only filter to the broadcast addresses
*outgoing* on your directly connected interfaces. For example, if your
router has an ethernet interface with half a dozen as5200's or Max 4004's
on it, and your ethernet interface had address 192.168.3.1/24, then
you'd do this:
! filter broadcast packets from anywhere into my directly attached
! terminal server network
access-list 110 deny ip any host 192.168.3.255
access-list 110 deny ip any host 192.168.3.0
access-list 110 permit ip any any
in e 0
ip access-group 110 out
I've just been made aware of a command for ciscos,
'ip directed-broadcast'. Specifically, the 'no' form of the command
will no convert broadcast packets (all ones, I think) into broadcast
ethernet packets, on the final, directly connected interface. From
cisco's online documentation:
To enable the translation of directed broadcast to physical
broadcasts, use the ip directed-broadcast interface
configuration command. To disable this function, use the no
form of this command.
What I take this to mean is that 'no ip directed-broadcast'
will prevent the mapping of broadcast packets (I don't know
what your cisco will guess 'broadcast packets' are) to broadcast
ethernet framing. I think this will help... although I don't know all
the ramifications, because I haven't used it, and don't know anyone who
And a final note: there are very few applications which depend
on the routing of broadcast packets. You may know of one such
application; if it's a popular one that you think lots of people are
using, speak up. So you should feel safe in blocking broadcast traffic
in your network. Popular applications which depend on *non*-routed
broadcast traffic include RIP and netbios (Microsoft's networking
protocol). Putting filter access-lists on your interfaces should
not interfere with non-routed broadcast traffic.
Don't take anything I say as word of God. Test it yourselves,
so that you understand what you are doing.
I hope this helps,
Engineering Director, Texas Networking, Inc.
ed () texas net
-----End of forwarded message-----
Texas Networking, Inc.
<de> 'hail sparc, full of rammage'
<de> 'the kernel is with thee'
<de> 'blessed art thou amongst processors'