how to stop logging blocked LAN IGMP?
-
@Bob-Dig if you put in a rule to block igmp or destination before it hit your allow rule that would match on the traffic, like an any any where it would see the igmp, and say hey wait this has ip options set vs allowing this I am going to block it then yes your block rule without logging would work.
-
IGMP isn't a bad thing. On LAN interfaces, it is something you should pass rather than block.
If you really don't want to use IGMP, you should turn it off in your switch or router rather than blocking it on the firewall.
-
@dennypage good point.
I changed the 'silent block' to a 'silent pass', but it behaved the same as the default pass rule: it blocks IGMP (even though the rule is explicitly a pass) and logs each instance (even though the rule is set to not log).
It appears that the new release has some kind of special code path for this that defies normal handling.
So, back to blocking it. I don't have the skills or energy to turn off the IGMP sources on my LAN and I don't want those log entries.
-
@JeremyJ-0 You have to have IP options enabled in the pass rule.
Edit: Mine is a floating rule, but here's what it looks like:
-
@dennypage actually tried it both ways. same result. it's silent as a block rule, and noisy as a pass rule.
-
@JeremyJ-0 Source should be any rather than LAN subnets.
I edited my post above and put in my floating rule which handles IGMP.
-
@dennypage did my level best to match your rule: made mine floating, checked 'quick', changed direction to 'in'. It's not exact because I need it to apply to multiple sources where yours is specific to one so left source as 'all'.
Still getting deny entries in the log.
-
@JeremyJ-0 You do not need to restrict it. You can, and should, use "any" unless you have a good reason not to.
Do exactly this:
Make sure the rule is above your default allow.
-
@JeremyJ-0 Just to be sure, you are doing Apply Changes after modifying the rules, yes?
Btw, in Redmine 15415 there is a small patch that you can use to enhance the hover tooltip in the firewall log. It will show "block/ip-option" in the tooltip if the packet was blocked due to the presence of IP options.
-
@dennypage said in how to stop logging blocked LAN IGMP?:
It will show "block/ip-option" in the tooltip if the packet was blocked due to the presence of IP options.
Isn't that kind of obvious when the rule name is pass, but its a block and the protocol is IGMP ;)
-
Yes, I 'apply changes' and wait for the filter to reload.
Update: after the last round of changes (moving rule to floating etc.) things were worse: the silent block rule was logging the blocked packets too.
I rebooted. The excess logging stopped.
Is there some part of the firewall that reads the rules on startup and does not re-read on a filter reload?
-
@JeremyJ-0 said in how to stop logging blocked LAN IGMP?:
Is there some part of the firewall that reads the rules on startup and does not re-read on a filter reload?
Not that I am aware of.
The reload of rules failing would explain your results however.
-
J johnpoz referenced this topic on
-
K keyser referenced this topic on
-
Ran into the same problem today. I tried the suggestions in this thread, short of rebooting, but none work for me on 25.07.1.
I was trying to get the rules and packages right to pass HDHomeRun traffic from my Entertainment VLAN to the other VLANs.
I have had no logging of IGMP packets before doing the following:
I added package avahi but that didn't do it, so I removed that.
I then found and did discussed in the following referenced Reddit thread that solved the problem with passing HDHomeRun traffic to my other VLANs:
https://www.reddit.com/r/PFSENSE/comments/1g2c9qb/hd_homerun_across_vlans/
-
Added package udpbroadcastrelay, which, by itself did not allow the HDHomeRun traffic to pass across my VLANs.
-
Added a floating rule as specified. This rule does not log and allows the desired traffic.
Doing the above seems to have triggered the IGMP logging and there seems to be nowhere to turn it off. I get IGMP packet blocks on the Entertainment VLAN interface logged with a rule number I cannot locate anywhere. I went through all of my explicitly defined rules and none have the number referenced in the logs. (Aside: it would be EXTREMELY helpful to make these numbers hyperlinks that link back to the rule definition.)
I cannot reboot now but maybe will get a maintenance time at some point in the not-too-distant future.
This appears to be a noxious bug that would be valuable to fix. It consumes disk and log space with no value added, no request to do so, and no way to shut it off short of disrupting production with a reboot...assuming that works.
I'll be happy to take a stab at any other ideas to try to find this rule and shut off the logging.
Thanks in advance!
-
-
@Mission-Ghost Specifically on the IGMP issue, you have to add a pass rule for IGMP with IP options enabled. Like this:
NB: Local on my firewall is an interface group that contains all the local networks (non WANs).
As to your parent problem, I am not familiar with HDHomeRun so I cannot offer advice regarding that.
-
@dennypage Thank you for taking the time to reply.
I did as you suggested but it does not stop the logging (which is coming from a Roku box (and only one, of two, Roku boxes). I applied the rule before 16:46:30, but it keeps going and going...
Note I did not have a pass IGMP rule prior to setting up the HDHomeRun box (which does work btw...and is not the one sending out the IGMP packets that apparently are getting blocked by a rule I can't find and can't control).
The new rule you suggested is at the top of the 50 (Entertainment) subnet rule list.
I'll attempt a reboot as suggested works earlier but I can't now due to network usage.
-
@Mission-Ghost is the pass rule you creating actually seeing evaluations? ie is the states going up vs 0/0?
Creating a rule does not take effect until the rules are reloading - if for some reason your rules are not loading, then no they wouldn't work.
-
@Mission-Ghost did you apply the changes after creating the rule?
-
@dennypage I did apply the rule.
Here's something interesting. I just went back and put a new rule in at the top of the interface 50_ENT list, ending in 718, to block IGMP any any and LOG it.
It did log it, but it ALSO logs the 2040 rule being activated. (Fig. 1) So how is a top rule on an interface taking effect AND an invisible rule I can't find anywhere (including floating) both take effect? Interesting, too, that my rule is prefaced with USER_RULE and the 2040 rule is not.
Then I edited rule 718 and just changed it to PASS instead of BLOCK, and I get BOTH a PASS and BLOCK USER_RULE (in the same second of time) log in addition to the mystery rule 2040 block log entries, which keep going on. (Fig 2)
My understanding of how rules work suggests this is not consistent with how the system is documented to work...
Fig 1:
Fig 2:
-
@johnpoz it appears not.
I now have a floating and interface rule to block these and log and both show 0 packets but a handful of state creations.
The floating rule (...5020) appears to be taking precedence of any activity and logging on the interface rule, as I would expect it to. Floating rule is logging both passes and blocks as the interface rule did in a previous experiment.
-
@Mission-Ghost We can't fully see your rules, as they are blocked by the pop-up. Does the floating rule have IP options enabled? If not, then it isn't going to match.
