Broadcast and Loopback

Discussion in 'other firewalls' started by Dazed_and_Confused, Mar 20, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Over the last few weeks, I've received numerous applications requesting access to the IP Addresses 255.255.255.255 (Broadcast) and 127.0.0.1 (Loopback). As opposed to individually giving apps access to these addresses, one option is to simply add these address to my firewall's (Zone Alarm Pro) Trusted Zone, which is generally reserved for the local network. Unless I'm mistaken, these two addresses ARE addresses within my local network (traffic to these IP's never leave the local network). So, is there any security risk to placing these addresses within my Trusted Zone?
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Dazed_and_Confused

    Broadcast traffic can be a normal thing to see depending on your set up.

    As noted in this post of yours an outbound broadcast by your system is part of obtaining and maintaining a dynamic IP (DHCP). In a home LAN the DHCP server would typically be your router. A stand alone system's broadcasts would be handled by their ISP's DHCP servers. These outbound bootp broadcasts are OK to allow and you can safely block any inbound broadcasts of this type. You will still need to allow inbound UDP response from your DHCP server.

    If you are on a LAN with file and printer sharing enabled you will likely also see UDP netbios broadcasts. This can be allowed by trusting the entire local network (ie. 192.168.1.0/255.255.255.0) or with a rule based firewall this traffic could be restricted to defined systems on the LAN.

    These are two common types of broadcast traffic most users may encounter. If you are in doubt about anything else, the general rule of thumb is to block first, then determine what it is and if it's required.

    Loopback or localhost traffic where both the remote and local address is your system, is safe to allow (just your system talking to itself). Depending the firewall being used, you would need to pay attention to loopback traffic when using any proxy type software.

    Edit:
    Not all firewalls allow for filtering of loopback/localhost traffic. Some will allow all (hard coded in), others will allow for rules to be configured.

    Regards,

    CrazyM
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    CrazyM,

    Thanks. This is really helpful. I've been doing some reading on IP protocol, etc, and I'm starting to understand how this stuff works!

    I believe what your saying is that since my IP address is obtained dynamically (I've got a DSL Modem/Router with DHCP enabled), my PC has to occassionally talk to the router to determine what my computer's IP address is, and this communication is to the IP address 255.255.255.255 (Broadcast). Right?

    When it comes to the Internet Zone, I make a point to only give apps outbound permission to specific IP addresses (or ranges), and also limit apps to outbound communication by protocol (UDP or TCP) and by port. So with so many apps requesting permission to 127.0.0.1, I found it easier to simply add that address to the Trusted Zone rather than create permissions for each app.

    And since as you stated 127.0.0.1 is simply my computer talking to itself, that is not really Internet traffic anyway, so adding it to the Trusted Zone makes sense (and doesn't appear to present any security issues).

    So....If 255.255.255.255 is my computer talking to my router, that also sounds like local traffic. Wouldn't it also make sense to add 255.255.255.255 to the Trusted Zone?

    Thanks again! I'd add a Smiley Face, but I can't seem to get them to work :D
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Yes, the outbound UDP will have a source port of 68, destination port 67 and destination address of 255.255.255.255

    The corresponding inbound UDP will have a source port of 67, source address of your DHCP Server and destination port 68

    You will sometimes see these broadcasts blocked inbound by your firewall which is OK.

    By trusted zone, did you put in Local or Internet? Local should be OK, but not being a ZAP user I'm not sure it is required or desirable in the Internet zone.

    I would suggest adding your LAN subnet (ie. 192.168.1.0/255.255.255.0) to your Local trusted zone if you have not already done so. This would cover off the broadcast traffic as well. Providing you trust the other systems, this should suffice without having to create more complicated custom rules.

    Regards,

    CrazyM
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    CrazyM,

    Thanks. ;)

    Yes. Placed 127.0.0.1 in Trusted Zone, which in ZAP is typically reserved for Local traffic.

    Yes. Done that a couple of weeks ago. But since the IP 127.0.0.1 does not match the subnet mask, it didn't recognize 127.0.0.1 as part of the local zone - had to add that separately.

    Same issue with 255.255.255.255. From what you've said previously, I believe it's OK to place that IP in the Trusted Zone (Local Zone for non ZAP afficionados) too. Agreed?

    Regards,

    Dazed
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If you have added your local subnet properly I am curious as to what broadcast alerts you would be seeing. Do you have any log entries you could post?

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.