System Log contains passing UDP 137/138 broadcasts

  • So I have an updated pfsense running 2.2.6 that is logging tons of UDP 137/138 broadcast packets on the LAN interface.  On top of logging them and passing them (allegedly, anyway - I don't think they'd actually go anywhere), they are from a subnet that should be subject to the default block rule, rather than passed (my boss apparently decided to have another subnet on the same physical network, but it has its own gateway).  They are pointless for me to pass or log but I have no ability to stop them internally.

    I looked around but couldn't find a way to turn this off.  None of my LAN rules have logging enabled.  The only rules to pass traffic through the LAN are for source=LAN Subnet and the anti-lockout rule.  I have made an explicit default block rule at the bottom that doesn't have logging enabled (before I found the setting to turn off "Log packets matched from the default block rules put in the ruleset").

    I unchecked both "Log packets matched from the default block rules put in the ruleset" and "Log packets matched from the default pass rules put in the ruleset" in the Settings menu of the System Log too.

  • If they're logged as being passed, you have a pass rule somewhere matching them that has logging enabled. Click the pass icon in the firewall log to see which.

  • Oh wow, I didn't notice you could do that.  Nice.  Thank you.

    Strange; it says it's matching the one Pass rule I have, but it shouldn't be.  The LAN address is so it should only be passing addresses in this subnet, but it is also passing addresses.  The rule I have set limits passes to source=LAN net.  It also has logging turned off, so I shouldn't see this in the log even if it matches.

    I'll reload the rules after hours in case they've somehow come unhinged from the GUI maybe.  I'll also look at the config files in case maybe the GUI is displaying the rule wrong.

  • Source 'LAN net' includes the LAN IP's subnet plus the subnet of any IP aliases on LAN.

    You'll probably just want to add a rule to block and not log broadcast traffic for the broadcast addresses of all the IP subnets on LAN.