How to limit broadcast network discovery

barkingdoggy · 27 June 2024 20:44

There is one host on my green network that is generating most and a lot of the broadcast network discovery traffic in my ipFire firewall logs. Here’s a snippet from the log showing traffic sourced from host forwarded to the ipFire device(?). I don’t know why this host is so “nosey”; there’s no good reason for it to be, AFAIK. Can I create a firewall rule to block the broadcasting of this network discovery traffic? (Does the ipFire router handle the broadcasting or do any switches in the mix handle it?)

`06:20:31 INPUTFW IN=green0 OUT= SRC=192.168.0.12 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=9 PROTO=UDP SPT=137 DPT=137 LEN=76

06:20:30 INPUTFW IN=green0 OUT= SRC=192.168.0.12 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=8 PROTO=UDP SPT=137 DPT=137 LEN=58

07:29:35 INPUTFW IN=green0 OUT= SRC=192.168.0.12 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00 TTL=128 ID=554 PROTO=UDP SPT=52267 DPT=20200 LEN=18

07:29:33 INPUTFW IN=green0 OUT= SRC=192.168.0.12 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00 TTL=128 ID=553 PROTO=UDP SPT=52263 DPT=20200 LEN=18
`

stephen · 28 June 2024 22:03

I don’t think that you’re going to solve this with a firewall rule. If I understand it correctly, you have one aberrant host that’s sending broadcast packets. You need to look at that host to figure out why. As is evident from the logs you included, the firewall is doing what it should and dropping the packets when it receives them.

Firewalls/routers, in general, drop broadcast packets.

Switches forward broadcast packets to all ports except the one the packet was received on. Switches are doing this based on the broadcast MAC address (ff:ff:ff:ff:ff:ff), not the IP.

barkingdoggy · 1 July 2024 18:02

Thank you for your response. Question, if “Firewalls/routers, in general, drop broadcast packets.” why is ipFire reporting INPUTFW and not DROP? I presume that INPUTFW means it is being forwarded to ipFire and perhaps ipFire is responding to it?

bbitsch · 1 July 2024 18:09

The action for packets logged as INPUTFW depends on definition of the rule, usually DROP.

barkingdoggy · 1 July 2024 18:14

AFAIK firewall rules are port forwarding things. Where/how is INPUTFW defined as DROP?

bbitsch · 1 July 2024 18:46

The basics of the IPFire firewall are described in the wiki.

To answer your opening question:

you can nothing in IPFire to stop devices in your network sending crude packets
you can suppress logging of dropped packets from the WUI ( Firewall → Firewall Options ), but problems not seen exist nevertheless