Pf logging and igmp



  • Hi,

    I've been trying to reduce the number of disk writes in my pfSense VM installation. As part of the process I have tried to identify all places of logging and turn it off, but even though no filter rules are set to log, and I have disabled logging of blocking by the default rule, I still find IGMP packets being logged in filter.log. This is far the most common location being written, and I would like to stop it. Can someone advise me on how, and why IGMP packets specifically are being logged?

    Cheers,

    Yax



  • The web GUI doesn't show the default interface firewall rule. All you need to do is add a firewall rule to the relevant interface to quietly (logging disabled) block IGMP traffic.



  • Sorry, I wasn't quite clear. All the logging of IGMP packets that are occurring, are showing PASS rather than block. I also tried explicitly passing and blocking IGMP, but the packets were still getting logged.



  • You reset states after changing firewall rules? See Diagnostics -> States, click on Reset states tab and read the explanation.

    If that wasn't the problem you had best post a screenshot showing the firewall rules on an appropriate interface.



  • Heres a screenshot of my rules (mostly pass all, note no explicit pass or block IGMP rule here, since they were not making any difference)

    Heres an example of the logging that is occurring:

    [2.0.1-RELEASE][root@pfsense]/var/log(21): clog filter.log | tail -n 30
    Sep  3 21:58:41 pfsense pf: 00:01:43.966158 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 21:58:41 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 21:59:02 pfsense pf: 00:00:21.656656 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4503, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
    Sep  3 21:59:02 pfsense pf:     192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s]
    Sep  3 22:00:46 pfsense pf: 00:01:44.409783 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 22:00:46 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 22:01:08 pfsense pf: 00:00:21.213027 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4518, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
    Sep  3 22:01:08 pfsense pf:     192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s]
    Sep  3 22:02:53 pfsense pf: 00:01:44.853574 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 22:02:53 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 22:03:13 pfsense pf: 00:00:20.769396 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4519, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
    Sep  3 22:03:13 pfsense pf:     192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s]
    Sep  3 22:04:59 pfsense pf: 00:01:45.297220 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 22:04:59 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 22:05:19 pfsense pf: 00:00:20.325522 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4520, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
    Sep  3 22:05:19 pfsense pf:     192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s]
    Sep  3 22:06:11 pfsense pf: 00:00:51.448563 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 32069, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    Sep  3 22:06:11 pfsense pf:     192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250
    Sep  3 22:06:11 pfsense pf: 00:00:00.495508 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 32075, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    Sep  3 22:06:11 pfsense pf:     192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250
    Sep  3 22:07:05 pfsense pf: 00:00:53.796833 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 22:07:05 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 22:07:13 pfsense pf: 00:00:08.514213 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 625, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    Sep  3 22:07:13 pfsense pf:     192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250
    Sep  3 22:07:24 pfsense pf: 00:00:11.367854 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4521, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
    Sep  3 22:07:24 pfsense pf:     192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s]
    Sep  3 22:09:11 pfsense pf: 00:01:46.184487 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    Sep  3 22:09:11 pfsense pf:     0.0.0.0 > 224.0.0.1: igmp query v2
    Sep  3 22:09:18 pfsense pf: 00:00:07.068624 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 911, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    Sep  3 22:09:18 pfsense pf:     192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250
    [2.0.1-RELEASE][root@pfsense]/var/log(22):
    
    


  • These logs are from both em1 and em0, which is which?
    Can you post output from pfctl -sr -vvv



  • Sorry, I meant to specify em0 is WAN and em1 is LAN

    Requested output:

    [2.0.1-RELEASE][root@pfsense]/root(4): pfctl -sr -vvv
    @0 scrub in on em0 all fragment reassemble
      [ Evaluations: 497486    Packets: 160001    Bytes: 110745702   States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @1 scrub in on em1 all fragment reassemble
      [ Evaluations: 246766    Packets: 88532     Bytes: 2985187     States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @0 anchor "relayd/*" all
      [ Evaluations: 2657      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @1 block drop in all label "Default deny rule"
      [ Evaluations: 2657      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @2 block drop out all label "Default deny rule"
      [ Evaluations: 2657      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @3 block drop in quick inet6 all
      [ Evaluations: 2657      Packets: 12        Bytes: 864         States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @4 block drop out quick inet6 all
      [ Evaluations: 1559      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @5 block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @6 block drop quick proto tcp from any to any port = 0
      [ Evaluations: 1482      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @7 block drop quick proto udp from any port = 0 to any
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @8 block drop quick proto udp from any to any port = 0
      [ Evaluations: 1128      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @9 block drop quick from <snort2c:0>to any label "Block snort2c hosts"
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @10 block drop quick from any to <snort2c:0>label "Block snort2c hosts"
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @11 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout"
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @12 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = https label "webConfiguratorlockout"
      [ Evaluations: 743       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @13 block drop in quick from <virusprot:0>to any label "virusprot overload table"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @14 block drop in on ! em0 inet from 46.65.13.0/24 to any
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @15 block drop in inet from 46.65.13.55 to any
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @16 block drop in on em0 inet6 from fe80::225:90ff:fe54:5db0 to any
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @17 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @18 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 1559      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @19 block drop in on ! em1 inet from 192.168.1.0/24 to any
      [ Evaluations: 2645      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @20 block drop in inet from 192.168.1.1 to any
      [ Evaluations: 1094      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @21 block drop in on em1 inet6 from fe80::225:90ff:fe54:5db1 to any
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @22 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 1072      Packets: 2         Bytes: 656         States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @23 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 1         Packets: 2         Bytes: 656         States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @24 pass out quick on em1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 1864      Packets: 2         Bytes: 656         States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @25 pass in on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 2640      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @26 pass out on lo0 all flags S/SA keep state label "pass loopback"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @27 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 2640      Packets: 36        Bytes: 12276       States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @28 pass out route-to (em0 46.65.13.1) inet from 46.65.13.55 to ! 46.65.13.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1557      Packets: 124521    Bytes: 113778300   States: 15    ]
      [ Inserted: uid 0 pid 56080 ]
    @29 pass in quick on em1 proto tcp from any to (em1:2) port = http flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 2640      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @30 pass in quick on em1 proto tcp from any to (em1:2) port = https flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @31 pass in quick on em1 proto tcp from any to (em1:2) port = ssh flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 1         Packets: 222       Bytes: 42084       States: 1     ]
      [ Inserted: uid 0 pid 56080 ]
    @32 anchor "userrules/*" all
      [ Evaluations: 2639      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @33 pass in quick on em0 reply-to (em0 46.65.13.1) inet proto tcp from any to 192.168.1.63 port = ssh flags S/SA keep state label "USER_RULE: NAT "
      [ Evaluations: 2639      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @34 block drop in quick on em0 reply-to (em0 46.65.13.1) inet proto icmp all icmp-type echoreq label "USER_RULE"
      [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @35 pass in quick on em0 reply-to (em0 46.65.13.1) inet all flags S/SA keep state label "USER_RULE"
      [ Evaluations: 14        Packets: 5         Bytes: 284         States: 1     ]
      [ Inserted: uid 0 pid 56080 ]
    @36 pass in quick on em1 all flags S/SA keep state label "USER_RULE"
      [ Evaluations: 1074      Packets: 122547    Bytes: 113572331   States: 15    ]
      [ Inserted: uid 0 pid 56080 ]
    @37 pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @38 anchor "tftp-proxy/*" all
      [ Evaluations: 1557      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    @39 anchor "miniupnpd" all
      [ Evaluations: 1557      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 56080 ]
    [2.0.1-RELEASE][root@pfsense]/root(5):</virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0> 
    


  • I've worked around this by running

    rm /var/log/filter.log
    

    This isn't really ideal, however.



  • Was there ever a solution discovered for this? I'm seeing the same thing on my firewall running 2.1-RC1 (i386) (built on Wed Aug 28 16:55:08 EDT 2013)

    Is there code somewhere that forces the system to log if the IP options checkbox is checked under the advanced options on my IGMP rules?


Log in to reply