Re: How to skip broadcast in pf logs

From: Daniel Hartmeier (daniel_at_benzedrine.cx)
Date: 09/24/03 

Date: 24 Sep 2003 07:48:11 GMT

On 23 Sep 2003 16:19:00 -0700, FM wrote:

> Nonroutables="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \
> 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, \
> 192.168.0.0/16, 204.152.64.0/23, \
> 224.0.0.0/3, 255.255.255.255/32 }"
>
> block in quick on $ExtIF from $Nonroutables to any
> block out quick on $ExtIF from any to $Nonroutables

Look at your pfctl -sr | grep 255 output, this expands to exactly
two relevant rules

  block drop in quick on fxp0 inet from 255.255.255.255 to any
  block drop out quick on fxp0 inet from any to 255.255.255.255

Now compare to the packet that you think should match

> 22:35:31.992973 rule 34/0(match): block in on fxp0:
> 130.236.236.187.9778 > 255.255.255.255.8777: udp 6

Note that is is _incoming_ and has _destination_ 255.255.255.255.
Does that match either of the two rules above? No, it doesn't.

Since it's incoming on fxp0, it can't match the second rule
(as that rule says 'block ... out'). It can't match the first
rule, either, as that says 'from 255.255.255.255 to any', but
the packet has a destination (not source) broadcast address.

Clear by now? The solution should be obvious :)

Daniel