Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any way to stop these entries from appearing in my logs?

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 6 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensory
      last edited by

      A significant portion of the block entries in my firewall log are:
      src [fe80::6e40::xxxx::xxxx:xxxx]:5353
      dst [ff02::fb]:5353
      proto UDP

      I believe this is part of multicast traffic.  I do not have IPV6 active on my pfSense.

      Is there any way to prevent these entries from showing up over and over again in the firewall log?

      I tried a floating rule on the interface in question (with the checkbox for logging not enabled)
      block IPv6 UDP * 5353 ff02::/28 5353 * none
      but this does not seem to work.

      EDIT:
      Following a suggestion in another thread, I enabled IPV6 (in settings) and then added a floating block rule to block all IPV6 traffic on any interface, without logging.  So far, this seems to stop these entries from appearing in my firewall log.  But I am not sure if this is as secure as disabling IPV6 altogether?  Can anyone weigh in on this or provide any other suggestions?

      1 Reply Last reply Reply Quote 0
      • K
        killmasta93
        last edited by

        go to status–-system logs----settings---- then uncheck the Log Firewall Default Blocks

        Tutorials:

        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

        1 Reply Last reply Reply Quote 0
        • P
          pfsensory
          last edited by

          Thanks, that seems to have done the trick.  Much better your way than mine.

          1 Reply Last reply Reply Quote 0
          • K
            killmasta93
            last edited by

            Glad to help :)

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            • P
              pfsensory
              last edited by

              One more question.  This seems obvious, but I am going to ask to be completely sure. If I uncheck the boxes for Log firewall default blocks and Log packets blocked by block local network rule (which is also cluttering up my log), will there be any difference whatsoever in the level of security offered by the firewall?

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                Far as I know those only affect logging and not the operation of the rules.

                I suppose one could claim though that the knowledge of the blocking perhaps indirectly provides some additional amount of security.  Pretty sure that is not the nature of the question though.

                Cool forum id by the way.

                pfCensor or pfCensory would be another cool one.  That's what it made me first think of.

                1 Reply Last reply Reply Quote 0
                • P
                  pfsensory
                  last edited by

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I somewhat agree knowing what your blocking can be useful, but there is quite often a lot of noise like that multicast traffic, udp noise on the public internet, etc..  I have the default log off and then create a rule to log tcp syn packets.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      Yup.  I do similar.  Have default logging disabled and have rules to log the specific stuff I want to know about.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dabigoreo
                        last edited by

                        Glad someone else brought this up - I'm in the same boat with this log clutter. Question - why is there any IPv6 local traffic happening in the first place if I have that disabled?  ???

                        fw: 2.3-RELEASE(amd64)
                        packages: Snort, Nmap

                        system: Dell Optiplex 745 desktop
                        cpu: Intel Pentium D 3.4GHz
                        ram: 4GB DDR2
                        wan nic: Broadcom Gbe
                        lan nic: Marvell Gbe

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "why is there any IPv6 local traffic happening in the first place if I have that disabled?"

                          Because your clients are sending it.. Just because pfsense doesn't process it, its going to block it so yeah its going to be in the logs.

                          If you don't want to see ipv6 noise your network is generation then disable it on your network so it doesn't send it, or tell pfsense not to log its default block and put in your own logging rules for blocks you want to see.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • D
                            dabigoreo
                            last edited by

                            @johnpoz:

                            "why is there any IPv6 local traffic happening in the first place if I have that disabled?"

                            Because your clients are sending it.. Just because pfsense doesn't process it, its going to block it so yeah its going to be in the logs.

                            If you don't want to see ipv6 noise your network is generation then disable it on your network so it doesn't send it, or tell pfsense not to log its default block and put in your own logging rules for blocks you want to see.

                            Easier said then done. Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6. Thanks for clarifying that it is coming from local clients. I'll just create a rule to block it and not log.  8)

                            fw: 2.3-RELEASE(amd64)
                            packages: Snort, Nmap

                            system: Dell Optiplex 745 desktop
                            cpu: Intel Pentium D 3.4GHz
                            ram: 4GB DDR2
                            wan nic: Broadcom Gbe
                            lan nic: Marvell Gbe

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              The Block IPv6 rule on LAN is normally set to not log.  You might want to verify that is the case.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dabigoreo
                                last edited by

                                @KOM:

                                The Block IPv6 rule on LAN is normally set to not log.  You might want to verify that is the case.

                                That is part of the mystery here - the default rule already had logging OFF but the blocks were still showing up in the firewall view log. There is more to this weird behavior - I had to create a separate rule (B), even though it pretty much matched the default one (A) (specific host versus all), to get the log spam under control from IPv6 (see screen capture). The default LAN rule for IPv6 seems like it is not working.

                                Also, just to clarify my rules pic below, I threw in the towel on blocking IPv6 and went back to allowing it but still get log spam about it even though that is supposed to be OFF.

                                pfsense_fw_rules_ipv6.JPG
                                pfsense_fw_rules_ipv6.JPG_thumb

                                fw: 2.3-RELEASE(amd64)
                                packages: Snort, Nmap

                                system: Dell Optiplex 745 desktop
                                cpu: Intel Pentium D 3.4GHz
                                ram: 4GB DDR2
                                wan nic: Broadcom Gbe
                                lan nic: Marvell Gbe

                                1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  Out of state traffic is blocked by the Default Deny rule.

                                  https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    "Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6"

                                    What devices?  My printer for example I can disable IPv6..  What device do you have that sends IPv6 that you can not turn it off on?

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      dabigoreo
                                      last edited by

                                      @KOM:

                                      Out of state traffic is blocked by the Default Deny rule.

                                      https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

                                      Sorry for not finding this myself but that article explains it. Thanks KOM.

                                      fw: 2.3-RELEASE(amd64)
                                      packages: Snort, Nmap

                                      system: Dell Optiplex 745 desktop
                                      cpu: Intel Pentium D 3.4GHz
                                      ram: 4GB DDR2
                                      wan nic: Broadcom Gbe
                                      lan nic: Marvell Gbe

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        dabigoreo
                                        last edited by

                                        @johnpoz:

                                        "Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6"

                                        What devices?  My printer for example I can disable IPv6..  What device do you have that sends IPv6 that you can not turn it off on?

                                        Examples of my devices that do not allow IPv6 manipulation - Dish DVR, Vonage VoIP box, wireless thermostat, android tablet, Panasonic TV, etc.

                                        I was able to track down these particular addresses to the source - turns out they are being generated by my software firewall (Agnitum Outpost Pro), go figure.  ???

                                        fw: 2.3-RELEASE(amd64)
                                        packages: Snort, Nmap

                                        system: Dell Optiplex 745 desktop
                                        cpu: Intel Pentium D 3.4GHz
                                        ram: 4GB DDR2
                                        wan nic: Broadcom Gbe
                                        lan nic: Marvell Gbe

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Well i have a wireless thermostat, nest.. It doesn't have a ipv6 address.. Because I didn't hand out any on the network segment its on.  It doesn't show even a link local address.

                                          What ipv6 addresses do these device have?  Are they link local addresses?  Those would be limited to the network they are on, and quite easy to quell their noise they might be sending out.

                                          I will have to look at my directv dvr (genie) but again its on a segment I am not handing out IPv6 on.

                                          My take on the ipv6 is your going to use it, then take the time to set it up correctly.  I have multiple segments it is setup on, and then others that is disabled.. And while a device might be limited in scope to enable or disable ipv6.. The noise it might send out is pretty simple to remove from your logs.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.