Firewall blocking multicast traffic despite rule to the contrary
-
I think all the rules descriptions get useless in your case due to the infamous "wheeeeeeeeeeee lets log every IGMP packet" bug. Look at the raw log instead and see the rule number, just the first number after filterlog:. When you have that rule number , you should get the really matching rule by using something like
pfctl -vvsr | grep "^@###("(Replace the ### with the rule number, obviously.)
-
Thanks. This is what it says in the raw logs:
Apr 30 08:48:35 filterlog: 39,16777216,,1000000113,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 08:48:35 filterlog: 39,16777216,,1000000113,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 08:48:35 filterlog: 39,16777216,,1000000113,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 08:48:35 filterlog: 39,16777216,,1000000113,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 08:48:35 filterlog: 39,16777216,,1000000113,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336 -
Yeah. Now, as noted above:
pfctl -vvsr | grep "^@39(" -
I get the following:
$ pfctl -vvsr | grep "^@39("
@39(1000000113) block drop log quick inet proto udp from any port = 0 to any -
Yeah. This comes from this code:
# We use the mighty pf, we cannot be fooled. block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)} block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any tracker {$increment_tracker($tracker)} block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0 tracker {$increment_tracker($tracker)}in /etc/inc/filter.inc - the mighty pf indeed cannot be fooled since there's no way to override these quick rules via the GUI. Sigh.
All of this behind the scenes stuff should be at least optionally exposed in the GUI.
-
Thanks. So why is it objecting to the traffic? Is it because it's incoming on port 0?
Is it possible to amend that rule from the command line?
-
No, there's nothing to be done with that rule beyond patching the /etc/inc/filter.inc. Not really convinced that this UDP traffic is the cause of your IPTV issues, though. You can comment it out, run Status -> Filter Reload and see if it helps.
-
Thanks. I commented it out. Now it blocks under a different rule!
Apr 30 09:16:11 filterlog: 57,16777216,,1000001581,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 09:16:11 filterlog: 57,16777216,,1000001581,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 09:16:11 filterlog: 57,16777216,,1000001581,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336
Apr 30 09:16:11 filterlog: 57,16777216,,1000001581,re0,match,block,in,4,0x80,,60,0,0,DF,17,udp,1356,10.103.218.73,233.51.229.167,0,5000,1336$ pfctl -vvsr | grep "^@57("
@57(1000001581) block drop in log quick on re0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"Is that another rule that cannot be overridden from the GUI?
-
Sorry, yes it is. It's the block private networks option. I've unchecked that now, and the traffic seems to be being passed (it's not in the log anymore).
IPTV still not working though, so will look for other issues.
Thanks for your help.
-
Touch wood, it seems to be working now. :)
There was also an issue on the networks defined in the IGMP proxy.
Thanks for your help.
-
So, what really fixed it? When you put the filter.inc into original state, does it still work with the bogons blocking disabled?
-
No, the "@39(1000000113) block drop log quick inet proto udp from any port = 0 to any" rule blocks the incoming traffic, presumably because it's on port 0.
I spoke too soon though: the IPTV works for an amount of time (anything from 5 secs to a few minutes) then falls over. There's a post here which details the same problem: http://www.dslreports.com/forum/r28895644-TDS-IPTV-Service-using-PFSense-Configuration-Instructions
I'll have a play later on - the conclusion from that thread was that it's some sort of QoS issue.
-
No, the "@39(1000000113) block drop log quick inet proto udp from any port = 0 to any" rule blocks the incoming traffic, presumably because it's on port 0.
You might want to file a bug about this.
I spoke too soon though: the IPTV works for an amount of time (anything from 5 secs to a few minutes) then falls over. There's a post here which details the same problem: http://www.dslreports.com/forum/r28895644-TDS-IPTV-Service-using-PFSense-Configuration-Instructions
That's a different thing, best kept out of this thread.
-
Thanks. Re the rule, isn't it working correctly, it just's the incoming traffic (for whatever reason) doesn't specify a port? i.e. something wrong with the traffic rather than being a bug in the rule?
-
No idea what kind of traffic you are really seeing blocked without packet sniffing. These invisible impossible to override/re-order rules are all evil.
-
Thanks. I suppose it's more of a feature request then? i.e. allow all these default rules to be customised from the GUI, rather than by rooting around in the bowels of the system.
Thanks for your help.
-
Logging anything nobody wants (IGMP), blocking things by hidden rules (bogon etc pp.)…
Is pfSense a firewall or a black box still called firewall?
I would expect ABSOLUTE transparency and ABSOLUTE capability for the user to turn on/off features in a single place (firewall rules, nowhere else hidden somewhere in the GUI) if you call it SECURITY APPLIANCE.
It's a mess, in my opinion.
-
Yeah the hidden rules are not a good idea. And the ability to turn them off or modify them should be an option. Its kind of nice that if you enable dhcp server for example it auto puts in a rule. But they should NOT be hidden!! And for example while dhcp gets rules, if you just run relay it does not get rules so does not work unless you allow for that traffic. So it can be confusing yes.
And stuff like bogon and private with no way to put rules above them is not good..
-
Thanks. Re the IPTV failing after a few minutes, I traced this to the fact pfSense is running an out of date/buggy version of igmpproxy.
If you update to the latest version, it works.
See the thread here: https://forum.pfsense.org/index.php?topic=93293.0
I agree with the comments re the hidden rules. I'll post a bug report/feature request (also for the igmpproxy update) when I have a moment.
-
Thanks. I've posted a bug here re allowing the default filter.inc rules to be overridden from the GUI.
https://redmine.pfsense.org/issues/4673
