Bug #16711
closed
Firewall system log showing blocks for unassigned physical interfaces
0%
Description
We have a lab system running 2.6.0 that did not exhibit this behavior. We've looked through the release notes for 2.7.0, 2.7.1, 2.7.2, 2.8.0, and 2.8.1 but have not been able to identify a intended change that would cause this.
We initially attempted to upgrade to 2.7.0 which would fail resulting in the system being unable to boot. This system was very old so we deployed a new VM on 2.7.2, restored the config, and upgraded to 2.8.1 which has come with many appreciated improvements.
Since then we've noticed that the firewall system log was logging blocks for DHCP traffic on unassigned physical interface vmx1 (The physical NIC was attempting to obtain a DHCP lease for the IPMI even though there is a dedicated IPMI NIC). All assigned interfaces on this system are VLAN so we would only expect to see firewall system logs for those (e.g. WAN, vmx1.1, vmx1.2, vmx1.3, etc...). As vmx1 was not in use we were not able to create a firewall rule to ignore the traffic. We were able to disable the NIC from attempting to obtain a DHCP lease on this NIC in the IPMI which stopped it but this appears that it could still be a bug. Please let us know if this is intended.
Updated by Jim Pingle 3 days ago
- Status changed from New to Not a Bug
That is expected behavior, since it is traffic being blocked/dropped by the firewall. In most cases that is something administrators would prefer to be informed about rather than silently dropping it and not knowing traffic is hitting the firewall through a potentially unexpected path.
You can always choose not to log the default block and add your own using floating rules, for example, should you not want that behavior. Post on the forum if you need assistance with that configuration.
Updated by Zetto Null 3 days ago
Jim Pingle wrote in #note-1:
That is expected behavior, since it is traffic being blocked/dropped by the firewall. In most cases that is something administrators would prefer to be informed about rather than silently dropping it and not knowing traffic is hitting the firewall through a potentially unexpected path.
You can always choose not to log the default block and add your own using floating rules, for example, should you not want that behavior. Post on the forum if you need assistance with that configuration.
Thank you for the explanation. Do you know when this change was introduced?