Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suppressing broadcast log noise

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 227 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • billlB Offline
      billl
      last edited by

      I log unexpected traffic, basically everything that gets blocked because it doesn't pass my last-stage whitelists.
      I have a number of VLANs, and a single (floating or interface group) rule to quietly handle all broadcasts that reach LAN-side interfaces, before they reach Default Deny/"Explicitly block the rest" rules.

      Suppose, for a simple example:
      LAN 192.168.10.1 on interface igb1
      and
      VLAN110 on igb1(lan) as 192.168.110.1/24
      VLAN120 on igb1(lan) as 192.168.120.1/24
      and
      MyNetworks=192.168.110.0/24,192.168.120.0/24
      MyBroadcastIPs=192.168.110.255,192.168.120.255
      and a single floating or interface group rule
      log=no src=MyNetworks dest=MyBroadcastIPs

      I have the following understandings that lead to my questions:

      • When I see log entries from 192.168.110.101 to 192.168.110.255 (for example, from a Default Deny or "Explicitly block the rest" rule), that traffic is seen by the router because the broadcast results in the traffic getting sent by the switch to the interface at 192.168.110.1, along with the switch sending it to every other device connected to the 192.168.110.0/24 subnet.
      • Adding a rule that blocks this traffic does not block the broadcast from reaching other devices on the subnet, as this traffic flows to devices on 192.168.110.0/24 directly through the switch with no opportunity for intervention by the router. The router only sees it because it is one of the targets of the broadcast.
      • If I don't want log noise from such traffic, I can write a no-log rule on the VLAN110 interface for anything going to destination 192.168.110.255. Configuring this rule as a block could suggest to the uninformed that it is blocking all of the broadcast traffic, which it is not, so I'm tempted to configure it as a pass for that reason alone.

      In trying to decide if these no-log broadcast traffic rules should block or pass, or whether it even matters at all, I realized that I have the following questions:

      • When 192.168.110.0/24 to 192.168.110.255 broadcast traffic hits its firewall interface, I understand that it is not going to get handled for routing because it is not destined for a different subnet, but might the firewall be interested in the actual broadcast message itself? If the rule blocks, could this interfere with any non-routing-related handling (is there any?) of the message by processes listening to 192.168.110.1, or does the block only refer to routing decisions?

      I will also be grateful to learn of any mistakes in my understandings or presumptions :)

      Thank you!
      Bill

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.