SAT translation can be used with broadcast packets if appropriate. With SAT translation the
destination address would always be the broadcast address.
• NAT
NAT translation cannot be used with broadcast packets in transparent mode. The packets will
be dropped and a log message will be generated when they encounter the NAT IP
rule/policy.
NAT can be used with broadcast packets in non-transparent mode routing. This might be
appropriate in some unusual networking scenarios.
Transparent Mode Broadcast Forwarding is Always Stateless
It is important to note that broadcast packets are always forwarded statelessly by NetDefendOS
when in transparent mode. In other words, even if an IP rule with an action of Allow permits
transparent mode broadcast packets to flow, they will be forwarded as though the rule had an
action of FwdFast.
The reason for enforcing stateless forwarding is because packets may need to be duplicated and
transmitted on multiple interfaces. For normal, non-transparent routes where broadcast packets
are not duplicated, a normal Allow rule or policy could be used and the traffic will be treated
statefully. A stateful rule/policy has the advantage of using less hardware resources to process
broadcast packets when many are coming from the same source.
Only Triggering an IP Rule/Policy on Broadcast Packets
When creating an IP rule or IP policy which triggers only on broadcast packets, the Destination
Network property should be set to be the broadcast IP address. However, the Source Network
should be the network to which the broadcast address belongs. For example, a broadcast packet
for the IPv4 network 10.0.0.0/8 will have the address 10.255.255.255 (the highest IP address in the
network). So in an IP rule or IP policy targeting these packets, the Source Network property should
be set to 10.0.0.0/8 and the Destination Network property should be set to 10.255.255.255.
Log Messages for Broadcast Packets
Log messages are only generated for broadcast packets that trigger an IP rule or IP policy when
in transparent mode (using switch routes). There are only two messages that can be generated:
• allow_broadcast
This log message is generated each time a broadcast packet triggers an IP rule or IP Policy
with an action of Allow in transparent mode. It indicates that the packet has been forwarded
statelessly as though the rule had an action of FwdFast (or the policy was a Stateless Policy). A
typical log message of this type will look similar to the following:
prio=Notice id=06000016 rev=1 event=allow_broadcast
action=stateless_fwd rule=a recvif=If3 srcip=192.168.100.25
destip=192.168.100.255 ipproto=UDP ipdatalen=58 srcport=137
destport=137 udptotlen=58
It should be noted that this event message will be generated for every interface that the
broadcast packet is sent on. For example, if interfaces if1, if2 and if3 are all defined as being
on the same network using transparent mode, a broadcast packet for the network could
trigger a rule/policy twice, generating two log messages. This is because the broadcast
packet would arrive on one interface and would need transmitting on the other two.
Chapter 4: Routing
305
To Next Page
Loading...
