[RESOLVED] Getting constant alerts/blocks for 255.255.255.255
-
My firewall alerts tab is filled with warnings about broadcast traffic getting blocked on an internal interface. (See the attached screenshot) The "Wireless" interface represents a network (vlan actually) so I want the broadcast traffic to circulate within the wireless subnet, but not escape from it. I get the feeling from these logs that broadcast traffic is simply not getting broadcast. If that's not true and broadcast traffic is circulating normally on the subnet, then I don't want my alerts tab filling up because it's nothing to worry about. I manually checked my ipv4 block lists, and none of them contain 255.255.255.255.
Not sure what could be wrong here.
pfBlockerNg is working perfectly otherwise.
Thanks,
Chris
-
Suspect it's the lvl 1 feed.
Try this command to find which feed contains that IP:
grep "^255\." /var/db/pfblockerng/deny/* -
Suspect it's the lvl 1 feed.
Try this command to find which feed contains that IP:
grep "^255\." /var/db/pfblockerng/deny/*Empty output :(
-
Just some extra findings/updates from my end.
Nothing in grep "^255." /usr/local/share/GeoIP/* either.
I looked at the 'pfblockerng.inc' file to try to figure out what 'no match' means, but it didn't provide any hints. I'd like to check my firewall rules to make sure that 255.255.255.255 is actually listed in the pfblocker generated rules. I'd expect to find 255.255.255.255 in pfB_DNSBLIP.txt. If it's not, I'm not sure where to find the core pfsense firewall rule definitions to check those ip lists.
I'm still looking into this and I'm open to debugging if anybody has any ideas. I don't know php so things are slow going.
-
I looked into your firehol level 1 list and found 224.0.0.0/3 which would include 224.0.0.0 to 255.255.255.255
The level 1 list includes unrouteable and multicast traffic. You can still pick and choose the individual lists that make up level 1.
-
I added
255.255.255.255/32
and
224.0.0.0/3to the suppress alias and the blocks disappeared!
Thanks for noticing that line. I'll write a script to test my lists manually next time I get a block like that instead of just relying on grep.
-
See here:
https://forum.pfsense.org/index.php?topic=135257.msg764291#msg764291
