Filter logs flooded with these



  • I have been watching the Firewall logs for a bit now and they are getting flooded with the following:

    listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
    00:00:00.000000 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:03.705834 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 350
    00:00:01.288160 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:00.720074 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 350
    00:00:08.277102 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:16.998123 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:18.097584 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 352
    00:00:14.899442 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:32.076977 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:02.013571 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:10.876816 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:20.025704 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
    00:00:01.565775 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 348
    00:00:00.658166 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:40.819441 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:00.058846 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:10.961450 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 347
    00:00:28.838739 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:02.004749 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 346
    00:00:01.108102 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 347
    00:00:06.016681 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 350
    00:00:02.014035 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 350
    00:00:01.071225 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 345
    00:00:15.606690 rule 18/0(match): block in on vr1: 10.115.196.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331

    Am I reading this correctly that 10.115.196.1 is trying to get DHCP on my WAN port? My WAN port is connected directly to my cable modem and I only have DCHP running on my LAN (vr0) interface which should NOT be accessible to the outside world.

    What is odd it that I assumed anything in the 10.x.x.x range was reserved for private subnets.

    Thank you for any advice!



  • After lots of reading I found my answer. For reference the solution was posted by onhel here http://forum.pfsense.org/index.php?topic=14131.0.

    Essentially these were dhcp broadcasts from the ISP on my WAN. Following the suggestion above I was able to stop the massive amount of logging.



  • What is odd it that I assumed anything in the 10.x.x.x range was reserved for private subnets.

    Many cable companies use ip's in these subnets to administer the actual modems.  Quite normal.


Log in to reply