Bug #2073
closed
APIPA broadcasts forwarded by route-to
0%
Description
If there is a host with an APIPA IP sending broadcasts that match a route-to rule, the traffic gets forwarded by route-to. antispoof should block that scenario, since that IP subnet isn't defined on the source interface. We should change route-to should never forward anything destined to a broadcast MAC address to prevent such scenarios.
To work around, just add a rule to block APIPA, 169.254.0.0/16. Or ideally don't use overly permissive rulesets, the default rules will not permit this to happen.
Updated by Chris Buechler over 9 years ago
- Status changed from New to Resolved
- Target version set to 2.2
fixed by implementing the appropriate behavior per RFC 3927 - block it.
Updated by Brandon Jackson about 7 years ago
Except with no way to disable this rule, this can affect bridged interfaces, and since the rule is processed so far in advance you can not make a rule to allow said traffic without giving up filtering the bridge completely. Also can cause spam to the default block log.
Updated by Jim Pingle about 7 years ago
There is no GUI knob to disable it, but there is a setting. You can set it in the config.xml directly or via PHP (e.g. Diag > Command, PHP Execute box):
$config['system']['no_apipa_block'] = true;
write_config("Disable APIPA Blocking rule");
Updated by Brandon Jackson about 7 years ago
Jim Pingle wrote:
There is no GUI knob to disable it, but there is a setting. You can set it in the config.xml directly or via PHP (e.g. Diag > Command, PHP Execute box):
[...]
Alright ill try that, seems reasonable.
Updated by Viktor Gurov