IGMP Logging to syslog pfsense 2.1.4
-
Hi
I am experiencing a strange logging behaviour where some IGMP packets hitting my LAN interface are being sent to my syslog server, although they are not configured to be logged.
My log settings are:
-
Log packets blocked by the default rule~: Unticked
-
Only logging Firewall events
I have "cleanup" rules on as a last rule on my WAN tab for logging only blocked TCP/UDP but I think this is irrelevant in this case.
So on the WebGUI 'last 50 firewall log entries', I am correctly seeing only the clean up rule logging (blocked TCP/UDP) and not the IGMP traffic. However, my remote syslog server is receiving these "pass in" IGMP logs in addition:
00:00:09.534830 rule 95/8(ip-option): pass in on re0: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
pf: 172.XX.XX.14 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.251 to_ex, 0 source(s)]I have no IGMP proxy setup.
So my question is: Why are IGMP packets being sent to the remote syslog?
-
-
Seems to have resolved the issue by adding a rule at the top of the LAN rules to drop IGMP traffic silently.
Odd I had to do this, as there are no LAN rules at all logging traffic (all LAN rules have no logging enabled).
It was only IGMP RA traffic (to 224.0.0.22) that was being sent to Syslog, not any other multicast traffic.
Still puzzled but that seems to be the fix if someone encounters this.
-
Seems to have resolved the issue by adding a rule at the top of the LAN rules to drop IGMP traffic silently.
I just had to do this same thing after updating to 2.2.1-RELEASE (amd64). Version 2.2 did not log the IGMP 224.0.0.22. But as soon as 2.2.1 was installed, I was receiving the IGMP logs for my LAN interface.
-
Are you guys running Snort on the "LAN" interface? I haven't yet found the issue on my end, but when I disable Snort on the "LAN" the IGMP logging stops.
-
Nope. Snort is only on for the WAN.
-
Try to disable Snort on the "WAN" and see if the IGMP logging stops …
-
There were some recent code changes around IGMP that got into 2.2.1, maybe one of those is causing this.
Snort/Suricata puts the enabled interfaces in "promiscuous mode" so that might be why we are seeing these alerts.
-
I disabled snort and watched the logs… so far IGMP will NOT appear in the logs only when I create a rule with IGMP block, No Logging. If it set to Pass with No logging, it still logs it. If the rule is disabled, it is logged by the "Default deny rule IPv4" as it should with my setup.
-
This bug report: https://redmine.pfsense.org/issues/4383
I noticed it on 2.2 systems. But I had not really looked previously to know if it happened on 2.1.* -
Have some rules on LAN to stop logging IGMP multicast, had to switch them in 2.2.1 (nano 386) from "allow" to "block" to stop the traffic from spamming my firewall log….
What I can'T stop from logging is IPv6 multicast ff02::fb on port 5353. I tried everything, block all IPv6 without logging, block all to ff02::fb without logging, always have this spam in the log. Btw IPv6 is completely disabled, all clients have IPv6 disabled, still get this broadcast...
-
Hello,
I ve the same problems since upgdating to 2.2.1
Is there a solution in the meantime for that?Question: I am wondering why the IGMP log entrys have a green icon in the logs - ("pass/0") - where can I find this rule?!
Greetz
-
-
please be a little bit more "verbose" ;-)
-
Such rule does not exist. Known bug linked above. Move on.