Add Firewall Rule Before Block Private Network



  • Is it possible, or do I have to disable the "built in" rule, and create my own.

    I have an issue, where the firewall logs contain nothing, but this, every few minutes:

    Act  	Time  	If  	Source  	Destination  	Proto
    	Dec 23 13:00:03 	WAN 	10.252.48.1:67 	255.255.255.255:68 	UDP
    	Dec 23 13:00:02 	WAN 	10.252.48.1:67 	255.255.255.255:68 	UDP
    	Dec 23 12:59:58 	WAN 	10.252.48.1:67 	255.255.255.255:68 	UDP
    	Dec 23 12:59:45 	WAN 	10.252.48.1:67 	255.255.255.255:68 	UDP
    	Dec 23 12:59:21 	WAN 	10.252.48.1:67 	255.255.255.255:68 	UDP
    	Dec 23 12:58:54 	WAN 	10.252.48.1 	224.0.0.1 	IGMP
    

    So, I cannot see anything else logged, as this floods them.

    I'm guessing it's caused by misconfigured DHCP server, somewhere on the system, on my side of the cable Head-End.

    I'd just like to turn off the logging for these, probably based on the IP.

    Cheers.



  • What I've done for this type of thing is create your own rule (yes, disable the built in if it is matching that rule) and set it to not log.



  • I'd like to try and do it, without disabling, and manually re-creating the rules for "Block private networks", but if that's the only way.

    How can I see exactly what the rules are, that are automatically generated for this.

    Cheers.



  • There may very well be another way to do it but I'm not aware of it. I guess my situation wasn't exactly like yours because it was the "Default Deny" rule that was filling up my logs so a rule above it without logging worked fine.

    I think you may have to look at the config.xml or actually at the pf rules currently running to see what the rules are exactly. If it's private networks, you could just make an alias of all private networks (192.168.0.0/16, 10.0.0.0/8, etc) and then block the alias. Just thinking out loud though. I'm sure there's a way to find the exact rule being used.



  • you could just disable logging for the default block rule.



  • @danswartz:

    you could just disable logging for the default block rule.

    Errr, no.  The only option is "Block Private Networks", under Interfaces -> WAN, or not.  You can't make any choices beyond that.

    But, even if I could, I'd like to see what's happening, other than this bozo.

    Cheers.





  • @EddieA:

    @danswartz:

    you could just disable logging for the default block rule.

    Errr, no.  The only option is "Block Private Networks", under Interfaces -> WAN, or not.  You can't make any choices beyond that.

    But, even if I could, I'd like to see what's happening, other than this bozo.

    Cheers.

    Under Status => System Logs => Settings, there is a checkbox "Log packets blocked by the default rule" :)  But if that isn't what you want…



  • @onhel:

    Discussed here in the past

    http://forum.pfsense.org/index.php/topic,14131.msg75033.html#msg75033

    Ha, that's exactly what I ended up doing.  Great minds, etc.

    @danswartz:

    Under Status => System Logs => Settings, there is a checkbox "Log packets blocked by the default rule" :)  But if that isn't what you want…

    No, that logs packets that make it past all the rules, and get blocked by the "default".  I wanted to stop logging a packet that was logged by the very first rule "Block private networks".

    Cheers.



  • @EddieA:

    @onhel:

    Discussed here in the past

    http://forum.pfsense.org/index.php/topic,14131.msg75033.html#msg75033

    Ha, that's exactly what I ended up doing.  Great minds, etc.

    I think I may have seen that post before but couldn't find it. Glad you got it working anyways. :)



  • Sorry, misread the OP.  I saw the comment about logs filling up by 'default deny' and replied to that :)


Log in to reply