It’s not that simple. Far from it, in fact. It has to do with the destination “IP address”, 239.255.255.250. That is a called a multicast IP address. That is not a simple IP address that gets addressed like any other. It’s a very specialized address.
There are two different types of broadcasts, unicast, which takes the uppermost IP address of the netblock you’re using, then sending UDP traffic to it. Furthermore, we are talking about IPv4, or 32-bit IP addresses. In the case of my subnet, which is 512 IP addresses, homed at 192.168.0.0/23 (or "192.168.0.0 netmask 255.255.254.0), the uppermost address that is called the “broadcast address” is 192.168.1.255. For example, NetBIOS uses UDP port 137 via the unicast broadcast to locate hosts on the subnet. Other ports have other purposes, but there are only 65536 ports.
Multicast, on the other hand use VERY SPECIFIC IP ADDRESSES for specific purposes. Software that uses multicast have to listen for traffic directed to these “IP addresses”. In my case, the address in question, 239.255.255.250, is for SSDP, or Simple Service Discovery Protocol. Basically, going a bit lower, specifically to the IP layer, instead of having to figure out which IP address is the broadcast address, the plugin in my OBS Studio installs send traffic to the "IP address " 239.255.255.250 on various UDP ports, advertising the names of various streams the program is outputting. If other OBS Studio instances on my network have that plugin installed used as receivers, they have a dialog to ask the user to select which stream to listen to, then connect to it based on the source address, in this case, my main PC at 192.168.0.128. As for the port numbers, I would have to read the source code for the plugin (entirely in Go, so I have to learn Go; I’m more a C/Perl person), which I have at a rather basic level.
Multicast also allows a machine with multiple interfaces to send the same broadcast on all interfaces without having to adapt (other than source IP) for each subnet it talks on.
For more information, I suggest reading RFC 5771 at the Internet Engineering Task Force’s (IETF’s) website. I’ll link it again for your convenience:
https://datatracker.ietf/org/doc/html/rfc5771
For netblock 239.0.0.0/8 (239.0.0.0 netmask 255.0.0.0), near the end of which SSDP finds itself, refer to section 10 of RFC 5771 above, or for more specificity, there’s RFC 2365. I’ll link it as well:
https://datatracker.ietf.org/doc/html/rfc2365
Once you have a basic understanding of multicast, you’ll understand my dilemma. Unless unicast support is written in to this plugin, I cannot use it while I have Comodo Firewall installed, unless there’s a rule I can use to make it work. I can at least track its emission from the source, but I cannot even DETECT it from other computers on my network, especially the one I want to actually use it on if either CIS or CFW is installed. Given what research I’ve done, apparently, there are reflective DDoS attacks using outside, forged packets sent to the target network. SSDP is meant to be used on a local network and should never be used from the outside. This is just like how you block directed unicast UDP broadcasts.
I hope this makes things somewhat clearer.
The rule is something like this:
allow from 192.168.0.0/23 any udp port to 239.255.255.250 any udp port.
So you know, that is NOT a typo. I use a 512-address subnet, hence the 23-bit subnet mask.
On the sender side, that works until the cows come home. I can even log when it happens. In fact, one of the screenies I posted above is that very log, and it’s the ONLY rule I even logged for the sake of this test.
On the receiver side, it -SHOULD- work. The receiver -SHOULD- say to a packet with these source and destination IPs, “allow if it’s from this subnet and it goes to the SSDP multicast address”. Only it doesn’t even go up the stack when that rule is put in. I’ve even told Comodo to log when the rule gets fired. It doesn’t even get that far, likely due to mitigation for the aforementioned SSDP DDoS attack.
–Katt. =^.^=
REVISION: I did say I used it as an application-level rule. I hadn’t tried it fully at the global level. I figured it SHOULD still work, but that makes sense for other applications that use SSDP. It’s just that RFC 1918 IPs have to be blocked at the border (which they are by default, being pfSense having those rules in there from the outset).