IGMP IPV4 endless log-messages / rules not working :(

Gertjan

@louis2

To add what @dennypage showed : the (a possible) final result:

Don't mind the first rule, it's their for a NUT reason.

Rule 2 and 3 are the only ones you'll ever need. They are pass all rules. I use two rules so I can see how much IPv4 and IPv6.

Note the presence of the black gear wheel on both rules : the "Allow IP options" is now checked.

dennypage

@Gertjan FWIW, I would not recommend adding Allow IP options to a pass all rule. I would restrict this to IGMP.

There are good reasons that firewalls drop packets with IP options by default.

louis2

@dennypage @Gertjan @stephenw10

It does not work here also with IP-options set! Let me start with that.
However:

That a pass rule can behaves like a block rule, "more more than bizar" !!

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!
Letting the rule change in a block rule is simply bizar !!!!!

But even it I put the IGMP pass rule with options set, put as very first rule in floating table, it does not work!

Gertjan

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

"more more than bizar" !!

I know, I know.
I'm like you : wanted to stop my logs being filled up with 'useless' info.
This trick did it.

louis2

@Gertjan

Gertjan, in my personal vision, I am just as concerned about threats from inside my network as for threats coming from the internet.

So my rule sets are very strict also for traffic leaving the network!

• for security reasons first
• blocking the option that things are collected from the internet for bad, commercial or good reasons ....
• for privacy reasons

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

My opinion of course!

dennypage

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

It does not work here also with IP-options set! Let me start with that.

Please post screen shots of your rules.

dennypage

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!

To be clear, IP options are not matchable like protocols, addresses, ports, etc.

louis2

@dennypage

I think I fixed it. The following way:

1. I did add as first rule for the vlan:
   

2. I did reset the states via Diagnostics / States / Rest States

Just defining the rule, was not enough !!!

dennypage

@louis2 Glad you got it working. Thank you for letting me know that you had to perform Reset States. That may help others.

Gertjan

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

I fully agree with that.
I've kept the default Netgate LAN firewall rules because I have the luxury of totally trusting all my LAN devices, I don't need to block something from going outside.
Beyond the devices, I can also trust the users that uses these devices. I'm lucky, probably.

Closing all destination ports, leaving open only port 53,80,443,110,143,995,992, 993, 143 doesn't give me more security, as 99% of all threads are downloaded by users over 443 (a web browser using https) or by mail, for example IMAP SSL, port 993, a mail client.

My LAN is my trusted network, and they could access to my other, less trusted networks, like a captive portal, or my server network. These networks can not access my trusted LAN.
My non trusted networks have devices I need to admin, like access points etc. I can access these from my LAN.

dennypage

@Gertjan In this case, it's a bit more than just passing ports. Allowing IP Options on a pass all rule opens your firewall to these options as well. IMO, you want to be very specific in the circumstance that you allow IP options.

I would have a preference to silently dropping all packets with IP options, including IGMP, rather than allowing all IP packets with options.

Gertjan

@dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

you want to be very specific in the circumstance that you allow IP options.

I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.