Network Bridge flooding our network with traffic and broadcasts

Posted on 2004-11-23
Last Modified: 2013-12-07

Our network is connected via bridge to another local government network and we have no control of the bridging routers.

The other network is now flooding our network with broadcasts and we can see their network and they can see ours.

I want to be able to stop this, the broadcasts, and only allow certain ports through.

Our network is and the other network is and

Bearing in mind i have no control of the Bridge and the other network cannot make any changes, what is the best way to do inline filtering/firewall ?

I did consider a linux firewall with 2 network cards on a spare pc, but this is different from a normal configuration as both network cards would need to have i.p. addresses.

Any thoughts ?

Question by:lhank
    LVL 2

    Expert Comment

    You will certainly have to insert something.   A firewall will require you to allow access to the other side and will require coordination from them to access resources on both sides.  I assume the bridge is because it needs to be unmanaged access between the 3 subnets?   A firewall will stop the broadcast traffic however you will have lots of connectivity issues to resolve one at a time and depending on what resources are being shared could end up with little gain.

    If you dont share anything on their side or them to you then put in a firewall and never hear from them again.
    LVL 8

    Expert Comment

    As you speak of bridging, i consider your network to have subnet. Then there is no need to have 10.2.x.x ip to reach any of your IPs, as there is no routing-function.

    It's a difficult situation, as you have to filter something, but you shouldn't do so - because then, how do you distinguish between good and bad broadcasts? All will send broadcast on and you have to let this go through, if you want to connect to the other side.

    In my opinion, you should subnet your network to a subnet on both sides with a router inbetween


    Author Comment

    Thanks for the replies..

    The networks were originally accessing each others servers, but this is no longer the case.

    The remote network no longer accesses anything on our network and we only use TCP port 3389 Terminal Services and TCP port 22 Telnet to access servers on theirs.

    So inserting a firewall should not cause any issues, except blocking their traffic and only allowing the ports above through from ours.

    I can't subnet our network as we inherited in and it is currently just a flat setup. We have over 600 pc's & servers, and is not going to be possible in the forseeable future.

    What i'm also asking is can i use a linux firewall with 2 network cards or would i need something more specialised ? if so, what ?

    LVL 2

    Expert Comment

    If you already know how to configure a linux firewall then it should work,  for my Tax money :) I would put in a PIX of some kind, they are at least  easy to configure.   I would think any professional level firewall would work.
    A router will not work since there is no port control.
    Linux has many free software bundles however in my searches to do this I did not find any free firewall packages. ( not an exhaustive search)  and I spent a lot of time working to configure ipchains
    I can be a fun project, but I would make sure you had lots of time to do it.  
    LVL 8

    Accepted Solution

    I think there will be trouble setting up a firewall ... you can't route (and therefore distinguish) between two networks, when they have the same network number (here

    Imagine the following constellation:

    [your net PC1] --------------------- [linux firewall] ------------------------ [their net PC2]
          |                                           |         |                                             |  

    If you now want to reach PC2 from PC1, you have to say to the network1:
    "I'm searching go out and seek the network, because that is the network of the searched IP"
    The linux firewall will answer:
    "Well, you have on your own side - i don't route your packet anywhere (only if you insert a HOST-route for this special HOST"

    c u l8r... i have to eat :-)
    LVL 8

    Expert Comment

    follow up:
    The linux firewall will see no difference between both sides - both are so both NICs of th FW will beleive, that the network is on its side (and that is true!).

    Does anybody know from his config, that i'm false?

    Author Comment

    Thanks again for the replies.  I was hoping someone had heard of an inline firewall with port control preferably with using Linux (cheapest option as cant spend any money unless we really had to).

    It looks like the best way to resolve this, is to setup a linux firewall and do some testing..  As you said Fitcher in can be a fun project.....

    I'll wait a day or so for any more replies and then close the call.

    Thanks for your advice Holger and Fitcher.
    LVL 2

    Expert Comment

    A pix will do port  translations, and will route a little if you think it through.  The point is that a router routes.   It decides what path a packet should be sent down(from more than one choice) and a firewall blocks traffic bassed on rules.  Generally you cant use one for the other.  No matter what you do you will have to design your routing table.  your post said you were trying to stop broadcast traffic.  A router will not do that.  so You have decided to use linux.  you will need some sort of firewall software because while you can easily devise a router you still will not block the broadcast traffic.  When I got started with a similar project I started looking for ipchains but never got that far before moving to a different task.

    Good luck,  you are about to know subnetmasking cold.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now