On Wed, Nov 13, 2002 at 02:46:50PM +0100, Alex Ongena wrote: > I want to drop all broadcasts on INPUT in a generic way > without knowing in advance on which subnet/netmask my > appliance is. > > something like: > > # iptables -A INPUT -d *.*.*.255 -j DROP > # iptables -A INPUT -d *.*.255.255 -j DROP > # iptables -A INPUT -d *.255.255.255 -j DROP > > where * is a wildcard matching any ip. > > Is this possible with iptables 1.2.7a ? Well, you first have to figure out what broadcast is. *.255 is definetely *NOT* a broadcast address. There is no way to see if an ip address is meant for broadcast, that is up to the local net administrator. (Even if you know your netmask, it still does not tell you the broadcast address).
The only way to test for broadcasts, is to look if the destination mac-address is ff:ff:ff:ff:ff:ff. There are a lot of people that get a .255 address on dialup connections. -- mail up 2+01:28, 2 users, load 0.00, 0.02, 0.02 mistar1 up 2+01:25, 6 users, load 0.00, 0.00, 0.00 Let your government know you value your freedom: sign the petition: http://petition.eurolinux.org
