Pf logging and igmp
-
Hi,
I've been trying to reduce the number of disk writes in my pfSense VM installation. As part of the process I have tried to identify all places of logging and turn it off, but even though no filter rules are set to log, and I have disabled logging of blocking by the default rule, I still find IGMP packets being logged in filter.log. This is far the most common location being written, and I would like to stop it. Can someone advise me on how, and why IGMP packets specifically are being logged?
Cheers,
Yax
-
The web GUI doesn't show the default interface firewall rule. All you need to do is add a firewall rule to the relevant interface to quietly (logging disabled) block IGMP traffic.
-
Sorry, I wasn't quite clear. All the logging of IGMP packets that are occurring, are showing PASS rather than block. I also tried explicitly passing and blocking IGMP, but the packets were still getting logged.
-
You reset states after changing firewall rules? See Diagnostics -> States, click on Reset states tab and read the explanation.
If that wasn't the problem you had best post a screenshot showing the firewall rules on an appropriate interface.
-
Heres a screenshot of my rules (mostly pass all, note no explicit pass or block IGMP rule here, since they were not making any difference)
Heres an example of the logging that is occurring:
[2.0.1-RELEASE][root@pfsense]/var/log(21): clog filter.log | tail -n 30 Sep 3 21:58:41 pfsense pf: 00:01:43.966158 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 21:58:41 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 21:59:02 pfsense pf: 00:00:21.656656 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4503, offset 0, flags [DF], proto IGMP (2), length 36, options (RA)) Sep 3 21:59:02 pfsense pf: 192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s] Sep 3 22:00:46 pfsense pf: 00:01:44.409783 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 22:00:46 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 22:01:08 pfsense pf: 00:00:21.213027 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4518, offset 0, flags [DF], proto IGMP (2), length 36, options (RA)) Sep 3 22:01:08 pfsense pf: 192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s] Sep 3 22:02:53 pfsense pf: 00:01:44.853574 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 22:02:53 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 22:03:13 pfsense pf: 00:00:20.769396 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4519, offset 0, flags [DF], proto IGMP (2), length 36, options (RA)) Sep 3 22:03:13 pfsense pf: 192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s] Sep 3 22:04:59 pfsense pf: 00:01:45.297220 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 22:04:59 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 22:05:19 pfsense pf: 00:00:20.325522 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4520, offset 0, flags [DF], proto IGMP (2), length 36, options (RA)) Sep 3 22:05:19 pfsense pf: 192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s] Sep 3 22:06:11 pfsense pf: 00:00:51.448563 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 32069, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) Sep 3 22:06:11 pfsense pf: 192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250 Sep 3 22:06:11 pfsense pf: 00:00:00.495508 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 32075, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) Sep 3 22:06:11 pfsense pf: 192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250 Sep 3 22:07:05 pfsense pf: 00:00:53.796833 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 22:07:05 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 22:07:13 pfsense pf: 00:00:08.514213 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 625, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) Sep 3 22:07:13 pfsense pf: 192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250 Sep 3 22:07:24 pfsense pf: 00:00:11.367854 rule 35/8(ip-option): pass in on em0: (tos 0xc0, ttl 1, id 4521, offset 0, flags [DF], proto IGMP (2), length 36, options (RA)) Sep 3 22:07:24 pfsense pf: 192.168.1.254 > 224.0.0.1: igmp query v3 [max resp time 24s] Sep 3 22:09:11 pfsense pf: 00:01:46.184487 rule 36/8(ip-option): pass in on em1: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) Sep 3 22:09:11 pfsense pf: 0.0.0.0 > 224.0.0.1: igmp query v2 Sep 3 22:09:18 pfsense pf: 00:00:07.068624 rule 36/8(ip-option): pass in on em1: (tos 0x0, ttl 1, id 911, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) Sep 3 22:09:18 pfsense pf: 192.168.1.60 > 239.255.255.250: igmp v2 report 239.255.255.250 [2.0.1-RELEASE][root@pfsense]/var/log(22):
-
These logs are from both em1 and em0, which is which?
Can you post output from pfctl -sr -vvv -
Sorry, I meant to specify em0 is WAN and em1 is LAN
Requested output:
[2.0.1-RELEASE][root@pfsense]/root(4): pfctl -sr -vvv @0 scrub in on em0 all fragment reassemble [ Evaluations: 497486 Packets: 160001 Bytes: 110745702 States: 0 ] [ Inserted: uid 0 pid 56080 ] @1 scrub in on em1 all fragment reassemble [ Evaluations: 246766 Packets: 88532 Bytes: 2985187 States: 0 ] [ Inserted: uid 0 pid 56080 ] @0 anchor "relayd/*" all [ Evaluations: 2657 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @1 block drop in all label "Default deny rule" [ Evaluations: 2657 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @2 block drop out all label "Default deny rule" [ Evaluations: 2657 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @3 block drop in quick inet6 all [ Evaluations: 2657 Packets: 12 Bytes: 864 States: 0 ] [ Inserted: uid 0 pid 56080 ] @4 block drop out quick inet6 all [ Evaluations: 1559 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @5 block drop quick proto tcp from any port = 0 to any [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @6 block drop quick proto tcp from any to any port = 0 [ Evaluations: 1482 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @7 block drop quick proto udp from any port = 0 to any [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @8 block drop quick proto udp from any to any port = 0 [ Evaluations: 1128 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @9 block drop quick from <snort2c:0>to any label "Block snort2c hosts" [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @10 block drop quick from any to <snort2c:0>label "Block snort2c hosts" [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @11 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout" [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @12 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = https label "webConfiguratorlockout" [ Evaluations: 743 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @13 block drop in quick from <virusprot:0>to any label "virusprot overload table" [ Evaluations: 1086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @14 block drop in on ! em0 inet from 46.65.13.0/24 to any [ Evaluations: 1086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @15 block drop in inet from 46.65.13.55 to any [ Evaluations: 1086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @16 block drop in on em0 inet6 from fe80::225:90ff:fe54:5db0 to any [ Evaluations: 1086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @17 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @18 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" [ Evaluations: 1559 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @19 block drop in on ! em1 inet from 192.168.1.0/24 to any [ Evaluations: 2645 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @20 block drop in inet from 192.168.1.1 to any [ Evaluations: 1094 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @21 block drop in on em1 inet6 from fe80::225:90ff:fe54:5db1 to any [ Evaluations: 1086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @22 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 1072 Packets: 2 Bytes: 656 States: 0 ] [ Inserted: uid 0 pid 56080 ] @23 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 1 Packets: 2 Bytes: 656 States: 0 ] [ Inserted: uid 0 pid 56080 ] @24 pass out quick on em1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 1864 Packets: 2 Bytes: 656 States: 0 ] [ Inserted: uid 0 pid 56080 ] @25 pass in on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 2640 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @26 pass out on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @27 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 2640 Packets: 36 Bytes: 12276 States: 0 ] [ Inserted: uid 0 pid 56080 ] @28 pass out route-to (em0 46.65.13.1) inet from 46.65.13.55 to ! 46.65.13.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 1557 Packets: 124521 Bytes: 113778300 States: 15 ] [ Inserted: uid 0 pid 56080 ] @29 pass in quick on em1 proto tcp from any to (em1:2) port = http flags S/SA keep state label "anti-lockout rule" [ Evaluations: 2640 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @30 pass in quick on em1 proto tcp from any to (em1:2) port = https flags S/SA keep state label "anti-lockout rule" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @31 pass in quick on em1 proto tcp from any to (em1:2) port = ssh flags S/SA keep state label "anti-lockout rule" [ Evaluations: 1 Packets: 222 Bytes: 42084 States: 1 ] [ Inserted: uid 0 pid 56080 ] @32 anchor "userrules/*" all [ Evaluations: 2639 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @33 pass in quick on em0 reply-to (em0 46.65.13.1) inet proto tcp from any to 192.168.1.63 port = ssh flags S/SA keep state label "USER_RULE: NAT " [ Evaluations: 2639 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @34 block drop in quick on em0 reply-to (em0 46.65.13.1) inet proto icmp all icmp-type echoreq label "USER_RULE" [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @35 pass in quick on em0 reply-to (em0 46.65.13.1) inet all flags S/SA keep state label "USER_RULE" [ Evaluations: 14 Packets: 5 Bytes: 284 States: 1 ] [ Inserted: uid 0 pid 56080 ] @36 pass in quick on em1 all flags S/SA keep state label "USER_RULE" [ Evaluations: 1074 Packets: 122547 Bytes: 113572331 States: 15 ] [ Inserted: uid 0 pid 56080 ] @37 pass in quick on openvpn all flags S/SA keep state label "USER_RULE" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @38 anchor "tftp-proxy/*" all [ Evaluations: 1557 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] @39 anchor "miniupnpd" all [ Evaluations: 1557 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56080 ] [2.0.1-RELEASE][root@pfsense]/root(5):</virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>
-
I've worked around this by running
rm /var/log/filter.log
This isn't really ideal, however.
-
Was there ever a solution discovered for this? I'm seeing the same thing on my firewall running 2.1-RC1 (i386) (built on Wed Aug 28 16:55:08 EDT 2013)
Is there code somewhere that forces the system to log if the IP options checkbox is checked under the advanced options on my IGMP rules?