IGMP IPV4 endless log-messages / rules not working :(

louis2 · May 8, 2024, 4:33 PM

It does not work here also with IP-options set! Let me start with that.
However:

That a pass rule can behaves like a block rule, "more more than bizar" !!

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!
Letting the rule change in a block rule is simply bizar !!!!!

But even it I put the IGMP pass rule with options set, put as very first rule in floating table, it does not work!

Gertjan · May 8, 2024, 4:35 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

"more more than bizar" !!

I know, I know.
I'm like you : wanted to stop my logs being filled up with 'useless' info.
This trick did it.

louis2 · May 8, 2024, 4:40 PM

@Gertjan

Gertjan, in my personal vision, I am just as concerned about threats from inside my network as for threats coming from the internet.

So my rule sets are very strict also for traffic leaving the network!

for security reasons first
blocking the option that things are collected from the internet for bad, commercial or good reasons ....
for privacy reasons

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

My opinion of course!

dennypage · May 8, 2024, 4:44 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

It does not work here also with IP-options set! Let me start with that.

Please post screen shots of your rules.

dennypage · May 8, 2024, 4:47 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!

To be clear, IP options are not matchable like protocols, addresses, ports, etc.

louis2 · May 8, 2024, 6:01 PM

@dennypage

I think I fixed it. The following way:

I did add as first rule for the vlan:
I did reset the states via Diagnostics / States / Rest States

Just defining the rule, was not enough !!!

dennypage · May 8, 2024, 6:05 PM

@louis2 Glad you got it working. Thank you for letting me know that you had to perform Reset States. That may help others.

Gertjan · May 9, 2024, 7:08 AM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

I fully agree with that.
I've kept the default Netgate LAN firewall rules because I have the luxury of totally trusting all my LAN devices, I don't need to block something from going outside.
Beyond the devices, I can also trust the users that uses these devices. I'm lucky, probably.

Closing all destination ports, leaving open only port 53,80,443,110,143,995,992, 993, 143 doesn't give me more security, as 99% of all threads are downloaded by users over 443 (a web browser using https) or by mail, for example IMAP SSL, port 993, a mail client.

My LAN is my trusted network, and they could access to my other, less trusted networks, like a captive portal, or my server network. These networks can not access my trusted LAN.
My non trusted networks have devices I need to admin, like access points etc. I can access these from my LAN.

dennypage · May 9, 2024, 2:48 PM

@Gertjan In this case, it's a bit more than just passing ports. Allowing IP Options on a pass all rule opens your firewall to these options as well. IMO, you want to be very specific in the circumstance that you allow IP options.

I would have a preference to silently dropping all packets with IP options, including IGMP, rather than allowing all IP packets with options.

Gertjan · May 9, 2024, 3:31 PM

@dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

you want to be very specific in the circumstance that you allow IP options.

I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.