Any way to stop these entries from appearing in my logs?
-
A significant portion of the block entries in my firewall log are:
src [fe80::6e40::xxxx::xxxx:xxxx]:5353
dst [ff02::fb]:5353
proto UDPI believe this is part of multicast traffic. I do not have IPV6 active on my pfSense.
Is there any way to prevent these entries from showing up over and over again in the firewall log?
I tried a floating rule on the interface in question (with the checkbox for logging not enabled)
block IPv6 UDP * 5353 ff02::/28 5353 * none
but this does not seem to work.EDIT:
Following a suggestion in another thread, I enabled IPV6 (in settings) and then added a floating block rule to block all IPV6 traffic on any interface, without logging. So far, this seems to stop these entries from appearing in my firewall log. But I am not sure if this is as secure as disabling IPV6 altogether? Can anyone weigh in on this or provide any other suggestions? -
go to status–-system logs----settings---- then uncheck the Log Firewall Default Blocks
-
Thanks, that seems to have done the trick. Much better your way than mine.
-
Glad to help :)
-
One more question. This seems obvious, but I am going to ask to be completely sure. If I uncheck the boxes for Log firewall default blocks and Log packets blocked by block local network rule (which is also cluttering up my log), will there be any difference whatsoever in the level of security offered by the firewall?
-
Far as I know those only affect logging and not the operation of the rules.
I suppose one could claim though that the knowledge of the blocking perhaps indirectly provides some additional amount of security. Pretty sure that is not the nature of the question though.
Cool forum id by the way.
pfCensor or pfCensory would be another cool one. That's what it made me first think of.
-
Thanks!
-
I somewhat agree knowing what your blocking can be useful, but there is quite often a lot of noise like that multicast traffic, udp noise on the public internet, etc.. I have the default log off and then create a rule to log tcp syn packets.
-
Yup. I do similar. Have default logging disabled and have rules to log the specific stuff I want to know about.
-
Glad someone else brought this up - I'm in the same boat with this log clutter. Question - why is there any IPv6 local traffic happening in the first place if I have that disabled? ???
-
"why is there any IPv6 local traffic happening in the first place if I have that disabled?"
Because your clients are sending it.. Just because pfsense doesn't process it, its going to block it so yeah its going to be in the logs.
If you don't want to see ipv6 noise your network is generation then disable it on your network so it doesn't send it, or tell pfsense not to log its default block and put in your own logging rules for blocks you want to see.
-
"why is there any IPv6 local traffic happening in the first place if I have that disabled?"
Because your clients are sending it.. Just because pfsense doesn't process it, its going to block it so yeah its going to be in the logs.
If you don't want to see ipv6 noise your network is generation then disable it on your network so it doesn't send it, or tell pfsense not to log its default block and put in your own logging rules for blocks you want to see.
Easier said then done. Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6. Thanks for clarifying that it is coming from local clients. I'll just create a rule to block it and not log. 8)
-
The Block IPv6 rule on LAN is normally set to not log. You might want to verify that is the case.
-
@KOM:
The Block IPv6 rule on LAN is normally set to not log. You might want to verify that is the case.
That is part of the mystery here - the default rule already had logging OFF but the blocks were still showing up in the firewall view log. There is more to this weird behavior - I had to create a separate rule (B), even though it pretty much matched the default one (A) (specific host versus all), to get the log spam under control from IPv6 (see screen capture). The default LAN rule for IPv6 seems like it is not working.
Also, just to clarify my rules pic below, I threw in the towel on blocking IPv6 and went back to allowing it but still get log spam about it even though that is supposed to be OFF.
-
Out of state traffic is blocked by the Default Deny rule.
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
"Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6"
What devices? My printer for example I can disable IPv6.. What device do you have that sends IPv6 that you can not turn it off on?
-
@KOM:
Out of state traffic is blocked by the Default Deny rule.
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
Sorry for not finding this myself but that article explains it. Thanks KOM.
-
"Accessing the TCP/IP properties of devices is not always possible to disable or turn off IPv6"
What devices? My printer for example I can disable IPv6.. What device do you have that sends IPv6 that you can not turn it off on?
Examples of my devices that do not allow IPv6 manipulation - Dish DVR, Vonage VoIP box, wireless thermostat, android tablet, Panasonic TV, etc.
I was able to track down these particular addresses to the source - turns out they are being generated by my software firewall (Agnitum Outpost Pro), go figure. ???
-
Well i have a wireless thermostat, nest.. It doesn't have a ipv6 address.. Because I didn't hand out any on the network segment its on. It doesn't show even a link local address.
What ipv6 addresses do these device have? Are they link local addresses? Those would be limited to the network they are on, and quite easy to quell their noise they might be sending out.
I will have to look at my directv dvr (genie) but again its on a segment I am not handing out IPv6 on.
My take on the ipv6 is your going to use it, then take the time to set it up correctly. I have multiple segments it is setup on, and then others that is disabled.. And while a device might be limited in scope to enable or disable ipv6.. The noise it might send out is pretty simple to remove from your logs.
