Results 1 to 4 of 4

Thread: Allow responses to broadcast in a drop-all firewall

  1. #1
    Join Date
    Jan 2014
    Beans
    79
    Distro
    Xubuntu 14.10 Utopic Unicorn

    Allow responses to broadcast in a drop-all firewall

    My input policy is to drop all traffic unless it's part of an established connection or related to one.

    Code:
    iptables -P INPUT DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    but if an application makes a broadcast, and something responds directly to the broadcast, the incoming packet is marked as forming a new connection (i tested this with rules such as
    Code:
    iptables -A INPUT -m state --state NEW -j LOG --log-prefix "NEW: "
    for each of the different states and a response to a broadcast is being marked with "NEW: ")

    How can i allow responses to broadcasts to enter without removing my policy of "only allow what i start"?

  2. #2
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Allow responses to broadcast in a drop-all firewall

    duplicate
    Last edited by SeijiSensei; May 28th, 2014 at 05:40 AM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Allow responses to broadcast in a drop-all firewall

    Responses to broadcasts are going to come from a well-known source. For instance, DHCP uses broadcasts to request an address, but the response will come from the DHCP server. I suggest a judicious mix of accepted server IPs and ports is the best approach. There is no equivalent to established traffic when you're dealing with broadcasts.

    So few services rely on broadcasts that you should be able to define precisely which replies are allowed and from where they can legitimately originate.
    Last edited by SeijiSensei; May 28th, 2014 at 05:44 AM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Jan 2014
    Beans
    79
    Distro
    Xubuntu 14.10 Utopic Unicorn

    Re: Allow responses to broadcast in a drop-all firewall

    Thank you for the response. It really stinks that there's not a failsafe way to do this, though.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •