[Multiple users] 24.03.r.20240410.1729 IGMP block gets logged
-
I noticed the same earlier on a previous beta build myself but didn't think much of it at the time. I haven't updated to the RC yet but it's definitely been an issue before.
-
Now I noticed it again, it is annoying. But only on one interface.
Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:46:37 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 14:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 13:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 13:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 13:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 13:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 13:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:17:46 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:52 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 12:02:51 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:35:24 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:11:05 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:47 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:11 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 11:02:10 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 10:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 10:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 10:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 10:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 10:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 09:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 09:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 09:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 09:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP Apr 11 09:35:25 ISWITCH allow ISWITCH to any rule (1712820132) 192.168.9.30 224.0.0.22 IGMP
-
@Lurick said in 24.03.r.20240410.1729 IGMP block gets logged:
I noticed the same earlier on a previous beta build myself
I am on hyper-v, that is an VM-NIC connected to an internal switch with many vlans. I will try changing some settings.
-
Using bare bone native "SG 4100" here, using 23.04-RC :
The rule with ID "1712824368" is the first rule here :
The
I've made a pass rule that is NOT logging.
Still, when the firewall encounters this protocol, it logs ...
So, there's some new logic going on in the inside of pf : if protocol is IGMP, then do if the log flag is set regardless ...My rules.debug looks fine :
pass in quick on $PORTAL inet proto igmp from any to any ridentifier 1712824368 keep state label "USER_RULE: GIMP" label "id:1712824368"
=> no log flag.
There is a a low level thing going on, not pfSense GUI related.
Maybe it was even there before I upgraded to the 24.03-RC ..... I have to admit that I checked a lot, but not the firewall logs (as I don't have any firewall rule logging). -
Flooding my logs as well, even with an explicit pass.
-
IGMP rules require allowing IP options to actually pass, hence why it's dropped on 24.03. Presumably it would be silently dropped in 23.09.1 without setting IP options on the rule (even with the log entry saying pass). Perhaps someone with an IGMP setup can confirm.
-
@marcosm said in [Multiple users] 24.03.r.20240410.1729 IGMP block gets logged:
IGMP rules require allowing IP options to actually pass, hence why it's dropped on 24.03. Presumably it would be silently dropped in 23.09.1 without setting IP options on the rule (even with the log entry saying pass). Perhaps someone with an IGMP setup can confirm.
The packets are shown as being blocked, but the rule listed is a pass rule which says do not log. It seems a bug either way.
That said, your supposition is correct, checking Allow IP options on the IGMP rule does work.
-
@marcosm Thinking about this further...
I don't have a serious issue with the fact that an IGMP rule needs the box checked to be functional, however I think it would be a good thing to note this in the UI when IGMP is selected.
The most significant issues to me surround the fact that the firewall log indicates the packet was blocked by a pass rule. This is concerning for two reasons. The first concern is that there is no indication of why the packet was actually blocked in the log, which makes things difficult to track down. The second and more significant concern is the implication that rule processing stopped upon hitting the pass rule, effectively treating it as a Quick rule, rather than proceeding down the list.
In short, I would expect to see the "Default deny rule" instead.
Others may have differing opinions, which I would also like to hear.
-
The rule matching doesn't seem to take into account IP options; and given that all but floating rules have "quick" by default, the matching doesn't continue on to other rules. This is why you don't see the default deny rule as the blocker.
I do agree the the logging itself in this case is unexpected. I've opened a redmine issue with the details:
https://redmine.pfsense.org/issues/15400It does beg the question what's preferred:
- drop the packet and respect the rule logging (previous behavior)
- drop the packet and log it even when the rule is to pass without logging (new behavior)
I imagine the new behavior is intended since otherwise the issue would be effectively hidden from the user. The "quirk" here is that IP options are not considered when rule matching, though that may also be intended (maybe for performance?).
-
@marcosm My personal opinion is that the new behavior is slightly more useful, but what would really make it even better would be an indication in the log of the cause.
Like in the firewall log Rule column, appending an indicator to the description:
Allow IGMP (1457745313) [IP Options disallowed]
This would be useful in other situations as well.
Probably a pain to implement though...
-
I made a block rule for IGMP with no logging and my logs are clean again. I am missing the knowledge to have an opinion on this situation.
-
-
-
-
-