Broadcast packets not blocked by filter ?!?

S

Skybuck Flying

Hello,

I banned ip address: 7.0.79.54 in windows xp policy etc...

(This is a virtual ip)

To my surprise the broadcast packets are not blocked ?

(Only unicast packets are blocked ?!?)

So for example udp packet:

Source IP: 7.0.79.54
Dest IP: 255.255.255.255

^^^ Is not blocked.

While

Source IP: 7.0.79.54
Dest IP: My IP

^^^ Is blocked ?!?!?

I guess I have to add a special rule for broadcast packets ?!

Hmm...

Gonna try it...

Later,
Bye,
Skybuck.
 
S

Skybuck Flying

So far I base the rules on "destination addres/ip".

Before I try a special broadcast rule....

First I try a "source address/ip" rule...

Maybe that will work for banning broadcast packets too...

Bye,
Skybuck.
 
S

Skybuck Flying

Nope that doesn't seem to work.

I choose filter option "block".

Instead of the "request security".

(Maybe block don't work ? but unicast it does seem to block so this is
weird).

Maybe this is a broadcast bug in the filter ?!?

Now I am gonna try a special broacast rule.

Bye,
Skybuck.
 
S

Skybuck Flying

Hmm weird... the source rule disappeared gonna try again first ;)

Bye,
Skybuck.
 
S

Skybuck Flying

Maybe it got removed because it was invalid or conflicting...

I tried again... this time it worked for the broadcast packets...

But unicast both ways blocked not...

So I would have to add a special rule to block unicast in both ways...

This kinda sux because it requires two rules... which is double as much work
but ok.

Also trying to ban 255.255.255.255 for a specific source is not possible...

So I had to choose "any ip" which is a bit strange but ok ;)

End result:

Broadcast packets banned for ip X
Unicast packets banned for ip X both ways.

However I also noticed something weird:

The broadcast packets were still showing up in the wireshark sniffer...

Apperently broadcast packets follow a different route through the windows
filter/firewall/policy logic ?!?!?

^ Weird... might be exploitable too ;) ^ For example "broadcast attacks on
VPLAN's" might still work.

Bye,
Skybuck.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ANN: OpenNETCF.Net.NetworkInformation Beta 6
There is an ip conflict 2
Changing source IP address of TCP/IP Packets 4
IPSEC not blocking specific IP address per Ethereal 13
RIS on separate server than AD/DHCP (error PXE-E55) 4
IPSec filter bug? 2
DNS Zone transfers not occuring 1
Two weird IP adresses show up on the network behind ISA 2000 SP2 5

Top