Firewall alerts for IP not in my IP ranges

anschmid

Hello! Need some help please!

My firewall log is completely filled up with blocking logs for IP address that are not even in my IP range:

Act Time If Source Destination Proto
block  Feb 21 11:38:03      WAN 182.55.226.2:1985 224.0.0.102:1985 UDP
block  Feb 21 11:38:03 WAN 182.55.226.2:1985 224.0.0.102:1985 UDP
block  Feb 21 11:38:03 WAN 182.55.226.2:1985 224.0.0.102:1985 UDP

My internal address space is 192.XXX.XXX.XXX and the external address of my firewall is 58.XXX.XXX.XXX.

Why would my firewall giving me alerts for communications that have nothing to do with me?

Any way to suppress these alerts?

Harvy66

If they're reaching your firewall, they have everything to do with you. The firewall alters on blocked traffic by default. If you don't want the alters to be caught by the default block rule, either pass the traffic or create your own block rule for that traffic that doesn't log.

johnpoz

Why do you say that has nothing to do with you??  Your wan is seeing multicast traffic to that 224 adress and is blocking it

http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml

That specific address is for HSRP
224.0.0.102 HSRP

Is your wan directly connected to your ISP – that your seeing such traffic is a bit odd?  Or is your want controlled by you?  But as Harvy66 stated already by default pfsense logs all blocks.. If you don't want to see such traffic then turn of the log default and create your own blocking rule that would be above the default that logs what you want, etc..  For example there is always a shit load of udp noise on the net - I don't care to see that in my logs so I just have block rule that logs tcp and SYN only traffic.

Keep in mind this is not altering default block, you just don't log all the stuff it blocks - still blocked.  Your just putting a block rule above that to log the sort of traffic you want to log.

anschmid

harvy66 & johnpoz,

thanks for your answers. I didn't realise this is multicast traffic as it had a specific port number 1985 but as the link explain is something to do with Cisco routers.

My pfsense box is connected to a fibre modem from my ISP but that is essentially in bridge mode and not filtering anything.

johnpoz

HSRP is a failover method so you can have more than one router available to route traffic, if one fails the other can now assume the address that was setup as the gateway, etc.

That traffic would be seen on any device on the same layer 2 network, or if someone was doing multicast proxy and or routing and you joined the multicast group, etc. etc..

I would guess your isp is using Cisco, and yes since your isp device is just a modem then sure you would see that traffic depending on what the isp was doing.  It would be simple enough for them to filter that traffic so you don't see it..  And I wouldn't think they would be wanting to send that information out to all their users, etc.

You might want to drop them a email pointing out the traffic, better hope it gets to a level 3 or so tech or they won't have a clue to what your talking about ;)

mer

@anschmid:

I didn't realise this is multicast traffic as it had a specific port number 1985 but as the link explain is something to do with Cisco routers.

The multicast part is the address, the 224.0.0.102.  Just like any IP address you can listen on specific (any) port number you want.