Stop firewll from logging blocked IPv6 multicast traffic

pareddefuego13

2.1-BETA1 (amd64)
built on Fri May 17 16:45:31 EDT 2013
FreeBSD 8.3-RELEASE-p8

Hello,

Is there any way I could stop the firewall from logging LAN blocked IPv6 multicast traffic, see screenshot. My firewall log is flooded with these alerts.

Thanks

Capture.PNG_thumb

cmb

If you're on 2.1, add a firewall rule on LAN to block and not log. If you're not on 2.1, not possible.

pareddefuego13

Thanks cmb.

I'm running 2.1 built on Fri May 17 16:45:31 EDT 2013. I added the rule you suggested but I'm still getting those alerts. See my attach firewall rule.

![Capture 2.PNG](/public/imported_attachments/1/Capture 2.PNG)
![Capture 2.PNG_thumb](/public/imported_attachments/1/Capture 2.PNG_thumb)

ptt

Perhaps you can remove your "created" rule & try with the "Easy Rule" (just Click on the + sign)

![Easy Rule.PNG](/public/imported_attachments/1/Easy Rule.PNG)
![Easy Rule.PNG_thumb](/public/imported_attachments/1/Easy Rule.PNG_thumb)

pareddefuego13

thanks ptt.

Tried what you suggested as well but after a couple of minutes, my firewall log was flooded again with the alerts. Attached is the "Easy Rule" that was created.

![Capture 3.PNG](/public/imported_attachments/1/Capture 3.PNG)
![Capture 3.PNG_thumb](/public/imported_attachments/1/Capture 3.PNG_thumb)

ptt

Ok, i'm not using IPv6 & i'm not an expert on that, but maybe the Block Rule that cmb has suggested, should be something like this….(If i'm not wrong)

![IPv6 MCAST Block Rule.PNG](/public/imported_attachments/1/IPv6 MCAST Block Rule.PNG)
![IPv6 MCAST Block Rule.PNG_thumb](/public/imported_attachments/1/IPv6 MCAST Block Rule.PNG_thumb)
![FW LAN Rules.PNG](/public/imported_attachments/1/FW LAN Rules.PNG)
![FW LAN Rules.PNG_thumb](/public/imported_attachments/1/FW LAN Rules.PNG_thumb)

pareddefuego13

Ok, I gave that rule a try but no go, alerts still coming through.

![Capture 4.PNG](/public/imported_attachments/1/Capture 4.PNG)
![Capture 4.PNG_thumb](/public/imported_attachments/1/Capture 4.PNG_thumb)

cmb

Click on the X in the firewall log, which rule is blocking it?

pareddefuego13

This is what I get whe clicking on the "X" (first screenshot) and if I click on the "X" a second time an additional option is given, "Prevent this page from creating additional dialogs" along with the rules that triggered the alert.

These alerts started after enabling Snort on the LAN interface. Disabling Snort on the LAN interface stops these alerts on the firewall.

2013-06-10_091939.jpg_thumb

2013-06-10_091709.jpg_thumb

cmb

Oh you have block all v6 enabled. You'll have to disable that under System>Advanced, Firewall/NAT, then you can add a floating rule that does the same but without logging (applies to all interfaces) or individually on the interfaces.

pareddefuego13

Thanks cmb

Is this what you mean by enabling IPv6? How does this look for the floating rule?

Thanks

IPv6.jpg_thumb
![Floating Rule2.jpg](/public/imported_attachments/1/Floating Rule2.jpg)
![Floating Rule2.jpg_thumb](/public/imported_attachments/1/Floating Rule2.jpg_thumb)

pareddefuego13

Ok, I enabled IPv6 and instead of the floating rule I block it individually on each interface. Seems to be working, no more flooded logs.

Thanks cmb

Update:

I noticed that I'm getting this every 15 minutes in my system log "php: : Could not find IPv6 gateway for interface(wan)."

Can I safely ignore this? I do have a "Block All IPv6 traffic" on the WAN interface.

Update 2:

I removed all my individual block rules for IPv6 on each interface and created the floating rule I have in my previous post. This seems better, I'm not getting the "php: : Could not find IPv6 gateway for interface(wan)" on the system log any more and the firewall logs are not flooded as well.

Why would the floating rule give me different results than creating a block rule on each interface?

HaOsLsE

@cmb:

Oh you have block all v6 enabled. You'll have to disable that under System>Advanced, Firewall/NAT, then you can add a floating rule that does the same but without logging (applies to all interfaces) or individually on the interfaces.

I know, I'm just getting back to cleaning up my firewall logs….bumping an old post. This is what fixed my problem. It was actually under advanced, Networking for me. I enabled "Allow IPv6". Created the floating rule to block and now my logs are not filled with ICMPv6 blocks.

Mr. Jingles

I know, I'm just getting back to cleaning up my firewall logs….bumping an old post. This is what fixed my problem. It was actually under advanced, Networking for me. I enabled "Allow IPv6". Created the floating rule to block and now my logs are not filled with ICMPv6 blocks.

I did exactly that, and created the floating rule, hoping I finally had gotten rid of this most irritating problem, but for me it did not work( ??? :-[ :'()

What am I doing wrong, would anybody happen to know that?

7.jpg_thumb

8.jpg_thumb

9.jpg_thumb

Mr. Jingles

Hmmm, I've been poking around some more. It turns out I have 'block bogon networks' activated on LAN, and I have now disabled 'log block bogon network' in the log settings. Lets see if this helps.

Mr. Jingles

@Hollander:

Hmmm, I've been poking around some more. It turns out I have 'block bogon networks' activated on LAN, and I have now disabled 'log block bogon network' in the log settings. Lets see if this helps.

Not that I exactly understand what I did ( ;D) but these most irritating messages are now gone. A screenshot of my rules in case anybody else is fighting with this problem also in the future:

12.jpg_thumb

Mr. Jingles

Grrrr >:(

Well that worked for 1 day or so, now we have other messages trolling the system log as per the first screenshot.

I messed around with my firewall, I think these rules should prevent these trolling messages, but obviously they don't (screenshot 2).

Would anybody happen to know what I am doing wrong here?

I'm getting so depressed :-\

Thank you ;D

10.jpg_thumb

11.jpg_thumb

Timster311

Floating rule worked for me! it was very very annoying, thanks :D

2.1.2-RELEASE (i386)
Cheers! ;D