4. Odd firewall entry

Odd firewall entry

  • D

    I'm confused by this entry in the log, and the source of the packet. As em0 is my WAN port, what is the real source of this packet? And how do I make it go away? I've recently did a fresh install and reconfiguration of this device and yet this entry persists. Any help is appreciated.

    And the rule:

    0

  • It's an IGMP packet being blocked.

    https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol

    If they bother you, you could create a block rule specifically for those packets and then set the rule to not log.

    0
  • D

    Thanks for the reply, KOM. My problem with that is any attempt to create a rule  results in the system complaining about em0 not being a valid interface, hence my confusion in the first place.

    0
  • LAYER 8 Global Moderator

    what interface do you have assigned to em0?  That is the interface you would create the rule on.

    0
  • D

    As in my first post, em0 is my WAN port. I've created a block rule as you've suggested, and told it to not log the block. The em0 packet block still appears in the log.

    0
  • LAYER 8 Global Moderator

    why would you be seeing packets from 192.168.254.254 on your wan?  Is that from your isp network, or are you behind a double nat?  If behind a double nat what else do you have on this 192.168.254 network?  You seem to have multiple public IPs 50.x.x.66 and .65

    Post up your wan rules so we can see them and your rule to not log.

    0
  • D

    I think we're drifting away from my initial question: Why am I seeing anything in my firewall log tagged with em0 as the interface when that interface was defined during setup as WAN?

    0
  • LAYER 8 Global Moderator

    because its NOT to your wan address.. its just being seen on the interface as multicast.. Your wan IP is .65 .66 etc.. So it is being seen on the interface directly.

    0
  • D

    @johnpoz:

    because its NOT to your wan address.. its just being seen on the interface as multicast.. Your wan IP is .65 .66 etc.. So it is being seen on the interface directly.

    Johnpoz, thank you. The light bulb just came on. There is indeed an upstream device that exposes a management interface on a network that overlaps my internal LAN addresses. In effect, there are two networks on em0. Problem solved.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy