Pesky broadcasts get logged no matter what I do



  • My log is full of these entries:

    Feb 1 21:03:27 WAN1 [fe80::da90:e8ff:fe9d:74e4]:5353 [ff02::fb]:5353 UDP

    despite having specific rules with no logging:

    0/0 B IPv6 UDP fe80::da90:e8ff:fe9d:74e4 * ff02::fb 5353 * none   Block IPv6 Avahi broadcasts

    What am I overlooking?



  • @Julf:

    My log is full of these entries:

    Feb 1 21:03:27 WAN1 [fe80::da90:e8ff:fe9d:74e4]:5353 [ff02::fb]:5353 UDP

    despite having specific rules with no logging:

    0/0 B IPv6 UDP fe80::da90:e8ff:fe9d:74e4 * ff02::fb 5353 * none   Block IPv6 Avahi broadcasts

    What am I overlooking?

    Are you sure that no-logging firewall rule is catching the appropriate traffic? The "0/0 B" part implies that it isn't.


  • Banned

    Why don't you just use the GUI to see which rule is logging that? Sigh.



  • @doktornotor:

    Why don't you just use the GUI to see which rule is logging that? Sigh.

    How does one do that?



  • @Nullity:

    Are you sure that no-logging firewall rule is catching the appropriate traffic? The "0/0 B" part implies that it isn't.

    None of the rules coming before that rule log anything, and looking at that rule, it should match, right?


  • LAYER 8 Global Moderator

    you see what rule logged real easy if you just add the description to the log interface - see attached.

    Or if you don't have that set then just click the X on the rule that blocked it.. And it will pop up what rule is blocking it..

    ![show rules.png](/public/imported_attachments/1/show rules.png)
    ![show rules.png_thumb](/public/imported_attachments/1/show rules.png_thumb)



  • Great! Thanks! Turns out it got blocked by not allowing any IPv6.



  • So if I have unselected "Allow IPv6" in  System/Advanced/Networking, and selected  "Log packets matched from the default block rules in the ruleset" in Status/System Logs/Settings, that goes before any user defined rules, and can't be blocked/caught separately?


  • LAYER 8 Global Moderator

    Why are you unchecking allow ipv6?

    If you do not set ipv6 addresses on any interfaces, and don't create any firewall rules that allow IPv6 then how exactly is ipv6 going to go anywhere?  Yes checking that box will ensure that ipv6 is broken.. Even if your interfaces have ipv6 on them and rules that allow ipv6..

    I guess they could setup a check box so that doesn't log..

    Or you could look at it - hey block all ipv6!!  Thanks for logging it so I can track down the devices sending it and turn it off there..  Yes as you can see ipv6 can be a chatty little cathy..



  • Fair enough - I can of course allow IPv6 in the general rules, and have a specific "block IPv6" rule for the interfaces. Just wanted to be sure I hadn't missed something obvious.


  • LAYER 8 Global Moderator

    if there is not an allow on the interface then its blocked by default.  If there is not allow then its blocked, that is how it is on every interface..



  • Of course. But my confusion was not about that, but about whether implicit, global rules (such as " no IPv6" or bogon blocking - that don't show up on the " Rules"  lists) overrule user rules or not.


  • LAYER 8 Global Moderator

    If you click block private or block bogon they are shown at the top of the list on the interface you apply them too.

    Might be a good idea if you block ipv6 that there should be a rule shown on the interfaces showing that ipv6 is being blocked..



  • @johnpoz:

    If you click block private or block bogon they are shown at the top of the list on the interface you apply them too.

    Might be a good idea if you block ipv6 that there should be a rule shown on the interfaces showing that ipv6 is being blocked..

    That would definitely be more consistent.



  • ff02::fb is a multicast for mDNS, which is used for some services, instead of the usual DNS.  You may look for something such as the Apple Bonjour in your area.

    Incidentally, there's no such thing as a broadcast with IPv6.  There are just multicasts.  The closest thing to a broadcast is an all nodes multicast.



  • @JKnott:

    ff02::fb is a multicast for mDNS, which is used for some services, instead of the usual DNS.  You may look for something such as the Apple Bonjour in your area.

    Yes, that is what seems to be the source.

    Incidentally, there's no such thing as a broadcast with IPv6.  There are just multicasts.  The closest thing to a broadcast is an all nodes multicast.

    You are of course right - the reference to broadcast comes from an older comment for an equivalent IPv4 rule



  • Not sure if its a bug or a feature, but I've seen this in other threads before.

    If you don't want to see IPv6 firewall log entries you have to allow IPv6 in pfSense.
    Then you can setup floating rules to Allow/Block IPv6 traffic - with logging disabled.


Log in to reply