Subject: Re: broadcast ping response
To: John Nemeth <>
From: Allen Briggs <>
List: tech-net
Date: 01/22/2005 21:50:55
On Sun, Jan 23, 2005 at 01:37:36AM +0000, Kentaro A. Kurahone wrote:
> Ask, and ye shall receive.

Heh.  See below...

On Sun, Jan 23, 2005 at 01:42:04AM +0000, Herb Peyerl wrote:
> Pretty trivial with 'ipf'. No new code needed.

It might be interesting for those who aren't ipf/ipfilter savvy.

But...  I'm curious where it's really useful:

Standard lab/lan setup: On a private LAN, the border shouldn't be
	allowing directed broadcast traffic, so you'd be protecting
	"your" link from fellows on the same LAN.  Is this an issue?

Home/business on DSL/cable: If the NetBSD host is at the border,
	the broadcast ping looks (to you) like a regular ping.  I
	don't see how this is a DoS.  The "telco" should not be
	passing the directed broadcast, so it should be coming
	through the local network similar to above.  If NetBSD
	_is_ your router, it (a) presumably has a firewall to
	which you can add the appropriate rules, and (b) defaults
	to not forwarding directed broadcasts
	(net.inet.ip.directed-broadcast defaults to 0).

NetBSD server in coloc or dmz seems to be similar to standard LAN
	plus firewall.

NetBSD host on a private LAN shouldn't be an issue.

What else?

Kurahone-san's patch seems pretty trivial, but I'm not sure how
real the need is...


                  Use NetBSD!