Log shows outgoing traffic from 'localhost'?

ChrisJenk

In the Firewall log I am seeing quite a lot of entries like this:

Aug 8 07:40:23 LAN Default deny rule IPv4 (1000000102) 127.0.0.1:19005 10.0.200.28:65002 TCP:RA

And there is a small arrow in a circle symbol in front of the word 'LAN' which, when I hover my mouse over it, says 'direction is out'. I have three questions:

1. Why am I seeing this traffic (I don't see how 127.0.0.1 can send anything to a non local address)?

2. What exactly does the 'direction is out' mean? I haven't noticed that on any other firewall log messages.

3. Is there a way to suppress these log messages since they seem to be simply clutter?

Thanks.

Gertjan

@chrisjenk

See this file : /tmp/rules.debug

# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in  quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
block in  quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"

There you have the 1000000102 rule identifier.

Check out what RFC 3927 means. It can not be 127.0.0.1 ....

I'm as much surprised as you.

ChrisJenk

@gertjan said in Log shows outgoing traffic from 'localhost'?:

@chrisjenk

See this file : /tmp/rules.debug

# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in  quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
block in  quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"

There you have the 1000000102 rule identifier.

Check out what RFC 3927 means. It can not be 127.0.0.1 ....

I'm as much surprised as you.

On my system, examining rules.debug shows this for that rule ID:

block out log inet all ridentifier 1000000102 label "Default deny rule IPv4"

This makes more sense in terms of matching up with the log entry but is also strange because I have my own custom 'Deny all' rule as the last one in my LAN ruleset and it is set to not log. So it seems like a rule for IPv4+IPv6, any protocol, with a source of 'any' does not match localhost. Could that be a bug?

Gertjan

@chrisjenk said in Log shows outgoing traffic from 'localhost'?:

block out log inet all ridentifier 1000000102 label "Default deny rule IPv4"

It shows more then that.

Look at the 3 liens above :

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------

Go to Status > System Logs > Settings and remove the check from :

login-to-view