Is this a firewall bug or am I doing something wrong?
-
Hope someone can help me… I am trying to keep entries like this:
Apr 18 14:43:17 VLAN1 (1000002620) 172.16.0.4:5353 224.0.0.251:5353 UDP
out of my logs. There is a bug in the Cisco SG300 that doesn't allow me to turn off mDNS.
The SG300 interface generates 1 log entry every 5 seconds.
Apr 18 14:43:17 CORE FLOAT: QUIET: Block mDNS Noise from SG300 (1492536937) 172.16.50.254:5353 224.0.0.251:5353 UDP
Apr 18 14:43:17 VLAN1 (1000002620) 172.16.0.4:5353 224.0.0.251:5353 UDP
Apr 18 14:43:12 CORE FLOAT: QUIET: Block mDNS Noise from SG300 (1492536937) 172.16.50.254:5353 224.0.0.251:5353 UDP
Apr 18 14:43:12 VLAN1 (1000002620) 172.16.0.4:5353 224.0.0.251:5353 UDPI created an alias:
SG300_Interface 172.16.0.4, 172.16.50.254and a floating rule:
States Protocol Source Port Destination Port Gateway Queue Schedule
IPv4 UDP SG300 Interface * 224.0.0.251 5353 * noneAs can be seen from the log, my rule traps 172.16.50.254 but not 172.16.0.4
On inspection of /tmp/rules.debug
The alias is being created correctly:
table <sg300_interface>{ 172.16.0.4 172.16.50.254 }and the block rule seems to be OK as well:
User-defined rules follow
anchor "userrules/*"
…
block log quick on { em1 em1_vlan50 } inet proto udp from $SG300_Interface to 224.0.0.251 port 5353 tracker 1492536937 label "USER_RULE: FLOAT: QUIET: Block mD
NS Noise from SG300"The offending rule creating the log traffic is:
antispoof log for $LAN tracker 1000002620
Which is way further up in the rules, but there is a similar rule for the 172.16.50.X interface.
antispoof log for $CORE tracker 1000007870
just a few lines below rule 1000002620.
Running pfSense Version:
2.3.3-RELEASE (amd64)
built on Thu Feb 16 06:59:53 CST 2017
FreeBSD 10.3-RELEASE-p16Can anyone give me any idea why these two addresses behave differently?
Have I found a bug or am I doing something wrong?
How I can best work around this?</sg300_interface> -
It's logging and blocking that traffic because it's matching the antispoof rule.
Looks like it's coming into the VLAN interface from a IP that is in the LAN subnet. I assume the LAN in 172.16.0.4?
That's the expected behaviour. https://www.openbsd.org/faq/pf/filter.html#antispoof
Steve
-
It's logging and blocking that traffic because it's matching the antispoof rule.
Looks like it's coming into the VLAN interface from a IP that is in the LAN subnet. I assume the LAN in 172.16.0.4?
That's the expected behaviour. https://www.openbsd.org/faq/pf/filter.html#antispoof
Steve
Thanks for the reply… I didn't realize I had the IP address reconfigured.