Project

General

Profile

Bug #2073

APIPA broadcasts forwarded by route-to

Added by Chris Buechler over 6 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
Start date:
01/05/2012
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

If there is a host with an APIPA IP sending broadcasts that match a route-to rule, the traffic gets forwarded by route-to. antispoof should block that scenario, since that IP subnet isn't defined on the source interface. We should change route-to should never forward anything destined to a broadcast MAC address to prevent such scenarios.

To work around, just add a rule to block APIPA, 169.254.0.0/16. Or ideally don't use overly permissive rulesets, the default rules will not permit this to happen.

Associated revisions

Revision eb71461c (diff)
Added by Chris Buechler almost 4 years ago

block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet to
any router for forwarding", and "any network device receiving such a
packet MUST NOT forward it". FreeBSD won't route it (route-to can override in
some circumstances), so it can't be in use as a real network anywhere with
the possible exception of local-only networks. Unlikely any such situation
exists anywhere.
Fixes ticket #2073

History

#1 Updated by Chris Buechler over 6 years ago

  • Description updated (diff)

#2 Updated by Chris Buechler almost 4 years ago

  • Status changed from New to Resolved
  • Target version set to 2.2

fixed by implementing the appropriate behavior per RFC 3927 - block it.

#3 Updated by Brandon Jackson over 1 year ago

Except with no way to disable this rule, this can affect bridged interfaces, and since the rule is processed so far in advance you can not make a rule to allow said traffic without giving up filtering the bridge completely. Also can cause spam to the default block log.

#4 Updated by Jim Pingle over 1 year ago

There is no GUI knob to disable it, but there is a setting. You can set it in the config.xml directly or via PHP (e.g. Diag > Command, PHP Execute box):

$config['system']['no_apipa_block'] = true;
write_config("Disable APIPA Blocking rule");

#5 Updated by Brandon Jackson over 1 year ago

Jim Pingle wrote:

There is no GUI knob to disable it, but there is a setting. You can set it in the config.xml directly or via PHP (e.g. Diag > Command, PHP Execute box):

[...]

Alright ill try that, seems reasonable.

Also available in: Atom PDF