Stop firewll from logging blocked IPv6 multicast traffic



  • 2.1-BETA1 (amd64)
    built on Fri May 17 16:45:31 EDT 2013
    FreeBSD 8.3-RELEASE-p8

    Hello,

    Is there any way I could stop the firewall from logging LAN blocked IPv6 multicast traffic, see screenshot. My firewall log is flooded with these alerts.

    Thanks



  • If you're on 2.1, add a firewall rule on LAN to block and not log. If you're not on 2.1, not possible.



  • Thanks cmb.

    I'm running 2.1 built on Fri May 17 16:45:31 EDT 2013.  I added the rule you suggested but I'm still getting those alerts. See my attach firewall rule.

    ![Capture 2.PNG](/public/imported_attachments/1/Capture 2.PNG)
    ![Capture 2.PNG_thumb](/public/imported_attachments/1/Capture 2.PNG_thumb)


  • Rebel Alliance

    Perhaps you can remove your "created" rule  & try with  the "Easy Rule" (just Click on the + sign)

    ![Easy Rule.PNG](/public/imported_attachments/1/Easy Rule.PNG)
    ![Easy Rule.PNG_thumb](/public/imported_attachments/1/Easy Rule.PNG_thumb)



  • thanks ptt.

    Tried what you suggested as well but after a couple of minutes, my firewall log was flooded again with the alerts. Attached is the "Easy Rule" that was created.

    ![Capture 3.PNG](/public/imported_attachments/1/Capture 3.PNG)
    ![Capture 3.PNG_thumb](/public/imported_attachments/1/Capture 3.PNG_thumb)


  • Rebel Alliance

    Ok, i'm not using IPv6 & i'm not an expert on that, but maybe the Block Rule that cmb has suggested, should be something like this….(If i'm not wrong)

    ![IPv6 MCAST Block Rule.PNG](/public/imported_attachments/1/IPv6 MCAST Block Rule.PNG)
    ![IPv6 MCAST Block Rule.PNG_thumb](/public/imported_attachments/1/IPv6 MCAST Block Rule.PNG_thumb)
    ![FW LAN Rules.PNG](/public/imported_attachments/1/FW LAN Rules.PNG)
    ![FW LAN Rules.PNG_thumb](/public/imported_attachments/1/FW LAN Rules.PNG_thumb)



  • Ok, I gave that rule a try but no go, alerts still coming through.

    ![Capture 4.PNG](/public/imported_attachments/1/Capture 4.PNG)
    ![Capture 4.PNG_thumb](/public/imported_attachments/1/Capture 4.PNG_thumb)



  • Click on the X in the firewall log, which rule is blocking it?



  • This is what I get whe clicking on the "X" (first screenshot) and if I click on the "X" a second time an additional option is given, "Prevent this page from creating additional dialogs" along with the rules that triggered the alert.

    These alerts started after enabling Snort on the LAN interface. Disabling Snort on the LAN interface stops these alerts on the firewall.






  • Oh you have block all v6 enabled. You'll have to disable that under System>Advanced, Firewall/NAT, then you can add a floating rule that does the same but without logging (applies to all interfaces) or individually on the interfaces.



  • Thanks cmb

    Is this what you mean by enabling IPv6? How does this look for the floating rule?

    Thanks



    ![Floating Rule2.jpg](/public/imported_attachments/1/Floating Rule2.jpg)
    ![Floating Rule2.jpg_thumb](/public/imported_attachments/1/Floating Rule2.jpg_thumb)



  • Ok, I enabled IPv6 and instead of the floating rule I block it individually on each interface. Seems to be working, no more flooded logs.

    Thanks cmb

    Update:

    I noticed that I'm getting this every 15 minutes in my system log "php: : Could not find IPv6 gateway for interface(wan)."

    Can I safely ignore this? I do have a "Block All IPv6 traffic" on the WAN interface.

    Update 2:

    I removed all my individual block rules for IPv6  on each interface and created the floating rule I have in my previous post. This seems better, I'm not getting the "php: : Could not find IPv6 gateway for interface(wan)" on the system log any more and the firewall logs are not flooded as well.

    Why would the floating rule give me different results than creating a block rule on each interface?



  • @cmb:

    Oh you have block all v6 enabled. You'll have to disable that under System>Advanced, Firewall/NAT, then you can add a floating rule that does the same but without logging (applies to all interfaces) or individually on the interfaces.

    I know, I'm just getting back to cleaning up my firewall logs….bumping an old post.  This is what fixed my problem.  It was actually under advanced, Networking for me.  I enabled "Allow IPv6".  Created the floating rule to block and now my logs are not filled with ICMPv6 blocks.



  • I know, I'm just getting back to cleaning up my firewall logs….bumping an old post.  This is what fixed my problem.  It was actually under advanced, Networking for me.  I enabled "Allow IPv6".  Created the floating rule to block and now my logs are not filled with ICMPv6 blocks.

    I did exactly that, and created the floating rule, hoping I finally had gotten rid of this most irritating problem, but for me it did not work( ??? :-[ :'()

    What am I doing wrong, would anybody happen to know that?








  • Hmmm, I've been poking around some more. It turns out I have 'block bogon networks' activated on LAN, and I have now disabled 'log block bogon network' in the log settings. Lets see if this helps.



  • @Hollander:

    Hmmm, I've been poking around some more. It turns out I have 'block bogon networks' activated on LAN, and I have now disabled 'log block bogon network' in the log settings. Lets see if this helps.

    Not that I exactly understand what I did ( ;D) but these most irritating messages are now gone. A screenshot of my rules in case anybody else is fighting with this problem also in the future:




  • Grrrr  >:(

    Well that worked for 1 day or so, now we have other messages trolling the system log as per the first screenshot.

    I messed around with my firewall, I think these rules should prevent these trolling messages, but obviously they don't (screenshot 2).

    Would anybody happen to know what I am doing wrong here?

    I'm getting so depressed  :-\

    Thank you  ;D






  • Floating rule worked for me! it was very very annoying, thanks  :D

    2.1.2-RELEASE (i386)
    Cheers! ;D