IGMP logs make pf logs mess
-
Hi guys, I have been using pfSense 2.1 for a while and spending time to learn it, however I couldn't find a solution for the spoofing IGMP logs.
In system logs-> firewall the output is as follows.
Although, I set a firewall rule to top of the rules list to block any to any IGMP packets without loging, pfSense generates these IGMP logs.
I also have the same problem in netbios TCP 138 port.
do you have any idea?
-
the source is private, did you put the rule on the correct interface? em0 doesn't tell me if that is wan or lan. But since private I would guess lan?
On wan the default block private should be blocking that anyway you would think. Unless you unchecked that?
-
em0 -> WAN
em1 -> LANIn firewall logs, pfSense indicates the WAN port sometimes as "WAN" and other times as "em0" I don't know why it is like that.
Here is my WAN Rules
so it should be blocked but not generate any log
-
Try changing the source to that 192.168.0.1 IP for your IGMP rule. For some reason its not matching that rule?
Also what if you put in 224.0.0.1 as dest?
I don't see any igmp traffic in my logs so kind of hard to test, nor anything to 137-139 either.
-
I've already tried setting source and destination ports but didn't work also.
-
when I disabled the "Block private networks" option on WAN IGMP logs stoped. This is strange.
Even if there is a bad config on my ISP side, It was able to disable logging.
-
when I disabled the "Block private networks" option on WAN IGMP logs stoped. This is strange.
Even if there is a bad config on my ISP side, It was able to disable logging.
Sorry, I've just realize that disabling the "Block private networks" option on WAN solves the problem
-
Yeah doesn't look like you can turn logging on or off for that block private rule - so it must log by default, like the normal default rule does. If you look at the block private rules using pfctl -sa
http://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
btw what change did you make to show rule in the firewall log, I have to click on the block X to see what rule number(s) Maybe your not seeing all the rules that got triggered?
I am running
2.1-BETA0 (i386)
built on Fri Nov 2 10:50:45 EDT 2012
FreeBSD 8.3-RELEASE-p4And my firewall log doesn't show the rules, is it in a newer snap? I normally update every couple of weeks and run git sync every few days.
-
btw what change did you make to show rule in the firewall log, I have to click on the block X to see what rule number(s) Maybe your not seeing all the rules that got triggered?
System Logs, Settings, Filter Descriptions - pick "Display as column" or "Display as second row"
That's a nice little enhancement that was added a month or 2 ago. -
Yeah doesn't look like you can turn logging on or off for that block private rule - so it must log by default, like the normal default rule does. If you look at the block private rules using pfctl -sa
http://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
And my firewall log doesn't show the rules, is it in a newer snap? I normally update every couple of weeks and run git sync every few days.
Thanks Johnpoz.
Seems that there is miss configuration on the ISP side and they are broadcasting IGMP packets on the end networks which end users are connected.
Is there any way to change full PF rullset. Is it written on a file? -
http://doc.pfsense.org/index.php/How_can_I_edit_the_PF_ruleset
I would assume you could edit them with pfctl if you wanted - but wouldn't survive reboot, etc.