[Solved] Firewall Log entries flooded for IPv6/:5353
-
Hi all.
Two Questions:
- Why do I keep seeing IPv6 DNS queries on LAN1 interface when a permit-all firewall rule with NO LOGGING is defined for all outbound connections
LAN [fe80::3cbb:63ff:fec2:8fb4] [ff02::fb]:5353 LAN1 [fe80::a8:d10a:bfcf:88ca] [ff02::fb]:5353 LAN2 [fe80::3cbb:63ff:fec2:8fb4] [ff02::fb]:5353 LAN2 [fe80::3cbb:63ff:fec2:8fb4] [ff02::fb]:5353 LAN1 [fe80::cf1:e8f0:96db:e58f] [ff02::fb]:5353 LAN2 [fe80::3cbb:63ff:fec2:8fb4] [ff02::fb]:5353 LAN1 [fe80::1cd5:2d26:3043:455a] [ff02::fb]:5353- I also see Firewall log DNS query entries (similar to above) for IPv6 on another interface (LAN2) that does not have IPv6 enabled. Why are there IPv6 entries for the interface that does not have IPv6 enabled?
Thanks!
-
it's https://en.wikipedia.org/wiki/Multicast_DNS
nothing to worry about, make a rule and disable logging to the firewall, so you won't see it anymore
-
Because the source is not in the LANnet so it doesn't match.
It's using the local-link address which exists on any IPv6 enabled device whether or not you are giving it a valid routable address.
Steve
-
@stephenw10 I do have a floating rule with apply immediately on match flag set; however, I continue to get flooded with the mDNS IPv6 entries.
Here's the floating rule defined that applies to all the interfaces on the system:
Firewall Log entries:
-
why a floating rule?
i have it as a regular firewall rule and i don't see it anmore on my logs
-
Same cause. The link-local address is neither in LANnet nor in All_Local_Subnets unless you have specifically added an entry for it.
fe80::/10Steve
-
Perhaps I'm missing something, but why would you have rules for something that's not supposed to leave the local link?
-
Only reason to create such rules would be to no log the traffic jknott..
@rsaanon that wule not going to work because ALL_local_Subnets is not all your fe80 space (link_local)..
Do what stephen suggests use fe80::/10 as your source for that rule..
-
yup .. to no log the traffic..
-
not log - T seems to have gotten dropped, I blame the keyboard ;)
-
-
@kiokoman Floating rule so that I only have to create one rule for all interfaces instead of defining Pass rule for :5353 on each of the interfaces. As you can see from the previous snapshot, the firewall is logging traffic destined for ff02::fb:5353 across several interfaces (LAN,IOT,KIDS, etc.)
-
@stephenw10 When I try to create a Network alias as "fe80 /10" and save it, the alias reverts back to "fe80/32"
I would like to create one floating rule for all interfaces that allows for all link-local fe80::* instead of defining link-local pass rule per interface.
-
its fe80::/10
And why do you need an alias you can just put that directly in the rule..
-
@johnpoz Initially, I had wanted to create an alias to put in all link-local addresses and then use that alias when defining the fw rules. Now with fe80/10 there's no need for an alias.
What I was missing was the :: when I was creating the alias or when I was trying to directly put fe80::/10 in the fw rule. Unfortunately, in this instance I cannot blame the keyboard
-
@rsaanon btw, how do I mark this thread as resolved?
-
There's no formal way of doing it. You can edit the title and prefix it [solved]. Or I can.
-
@stephenw10 @johnpoz Thank you for helping me in getting this issue resolved. Am I able to donate something-something or at the very least buy you guys some beer :-)
-
Best thing to do is just pay it forward, see if there is someone you can help on the forums.. If you feel you must donate - then you can donate to freebsd.
https://www.freebsd.org/donations/
Or pick a worthy charity - anything related to helping with covid-19 would prob be a good choice with the current situation..
-
@jknott said in [Solved] Firewall Log entries flooded for IPv6/:5353:
Perhaps I'm missing something, but why would you have rules for something that's not supposed to leave the local link?
@johnpoz said in [Solved] Firewall Log entries flooded for IPv6/:5353:
Only reason to create such rules would be to no log the traffic jknott..
That makes sense but why create pass rules. To prevent the default block rule logging, should not we be creating an equivalent block rule but without logging enabled?
However I'm rather new to this and not sure if that would break some function I'm not aware of. Hence my question, where should the block ff02::fb 5353 go to just block the logging but not change the default pfsense filtering
- WAN outgoing or
- floating rule on all or perhaps all LAN interfaces
