block broadcast packets from forwarding?

Forum|Forum|12 years ago
August 27, 2013
5 replies
20141 views

I just noticed in the firewall logs of my FortiGate 100D (FortiOS 5.0.4) that - I think - it is forwarding broadcast packets from the internal interface out to the Internet. I have a policy, right before the final deny all default, allowing any address on internal to be accepted for any service to any address on the outgoing interface to the Internet. In principle this is needed because our policy is to allow all internal users to access any service on the Internet. But I see entries in the logs such as Src 192.168.1.225, Dst 192.168.255.255, port UDP 57621 (apparently, this is Spotify. Sigh). .. and also UDP port 17500 (Dropbox). How do I set up a Policy rule on the FortiGate to block broadcasts from leaving the LAN? I could make a rule to block any@internal -> 192.168.255.255@WAN ... but the only reason I know there are such broadcast packets (since our internal netmask is NOT 255.255.0.0!) is because I happened to notice these packets in the FortiGate log. What I want is something more intelligent, such as a single option " Do not forward broadcast packets (unless there is an explicit matching allow rule)" . Is that possible with FortiGate/FortiOS 5? thanks, -Jay

rwpatterson

New Member

Check out the end of the attached link. The policy remains, but routing is altered to deny the traffic. http://support.fortinet.com/forum/tm.asp?m=100686&p=1&tmode=1&smode=1

Jay_LiboveAuthor

New Member

Hm. I see how that would work. But should that be necessary? Maybe I just never noticed it before, but I have the feeling that other firewalls don' t generally forward broadcast traffic. Why does FortiGate? Or is my feeling wrong? thanks,

chrylab

New Member

I believe what you are seeing is a " new" feature of 5.0.x. I noticed that my test box was logging broadcast traffic however it is not actually forwarding it. 5.x has the concept of " Local" logs and " Forwarded" logs. To stop broadcast traffic logging, I used this: config log setting set local-in-deny disable end The default is enable.

ede_pfau

SuperUser

IMHO broadcast forwarding is NOT enabled by default, at least not in 3.x or 4.x. There are 2 commands in the ' conf sys int' section, ' set l2forward' and another one (out of memory, I' m in the holidays right now). One has to enable it to allow Wake-on-LAN for example. What Jay is seeing is logging only - in 4.x it' s ' extended-log' in the ' conf log filter' section, and in 5.x where chrylab posted. I noticed it got enabled when I upgraded from 4.2 to 4.3, filling up my memory log easily.

rwpatterson

New Member

ORIGINAL: ede_pfau IMHO broadcast forwarding is NOT enabled by default, at least not in 3.x or 4.x. There are 2 commands in the ' conf sys int' section, ' set l2forward' and another one (out of memory, I' m in the holidays right now). One has to enable it to allow Wake-on-LAN for example.

Here I go mixing up posts again... I stand corrected one more time... Vacation in 3 days. Cannot wait!

Jay_LiboveAuthor

New Member

I' m not sure I fully understand the last couple of postings. I can confirm, by sniffing packets on the outside of the FortiGate FG100D (FortiOS 5.0.4) that it really is forwarding these broadcast packets outside of the network. I do see a ' config system interface' ' edit <ifname>' ' set broadcast-forward disable' option. I' m trying it now on that external interface. Will report back. thanks, Jay

Jay_LiboveAuthor

New Member

... also a ' set netbios-forward disable' option. I think these work as expected. However as we' ve also corrected the incorrectly configured host which had been creating the broadcasts, I no longer have an easy wway to be sure... thanks for everyone' s help, and I hope these set broadcast-forward disable and set netbios-forward disable commands prove useful for someone else too. -Jay

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded