Suppressing broadcast log noise
-
I log unexpected traffic, basically everything that gets blocked because it doesn't pass my last-stage whitelists.
I have a number of VLANs, and a single (floating or interface group) rule to quietly handle all broadcasts that reach LAN-side interfaces, before they reach Default Deny/"Explicitly block the rest" rules.Suppose, for a simple example:
LAN 192.168.10.1 on interface igb1
and
VLAN110 on igb1(lan) as 192.168.110.1/24
VLAN120 on igb1(lan) as 192.168.120.1/24
and
MyNetworks=192.168.110.0/24,192.168.120.0/24
MyBroadcastIPs=192.168.110.255,192.168.120.255
and a single floating or interface group rule
log=no src=MyNetworks dest=MyBroadcastIPsI have the following understandings that lead to my questions:
- When I see log entries from 192.168.110.101 to 192.168.110.255 (for example, from a Default Deny or "Explicitly block the rest" rule), that traffic is seen by the router because the broadcast results in the traffic getting sent by the switch to the interface at 192.168.110.1, along with the switch sending it to every other device connected to the 192.168.110.0/24 subnet.
- Adding a rule that blocks this traffic does not block the broadcast from reaching other devices on the subnet, as this traffic flows to devices on 192.168.110.0/24 directly through the switch with no opportunity for intervention by the router. The router only sees it because it is one of the targets of the broadcast.
- If I don't want log noise from such traffic, I can write a no-log rule on the VLAN110 interface for anything going to destination 192.168.110.255. Configuring this rule as a block could suggest to the uninformed that it is blocking all of the broadcast traffic, which it is not, so I'm tempted to configure it as a pass for that reason alone.
In trying to decide if these no-log broadcast traffic rules should block or pass, or whether it even matters at all, I realized that I have the following questions:
- When 192.168.110.0/24 to 192.168.110.255 broadcast traffic hits its firewall interface, I understand that it is not going to get handled for routing because it is not destined for a different subnet, but might the firewall be interested in the actual broadcast message itself? If the rule blocks, could this interfere with any non-routing-related handling (is there any?) of the message by processes listening to 192.168.110.1, or does the block only refer to routing decisions?
I will also be grateful to learn of any mistakes in my understandings or presumptions :)
Thank you!
Bill