Project

General

Profile

Actions

Bug #4383

closed

Firewall log contains IGMP for rules that do not have logging on

Added by Phillip Davis over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Logging
Target version:
Start date:
02/06/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Actions #1

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Confirmed
  • Target version set to 2.2.2

I suspect the root issue here is logging of passed traffic with IP options regardless of whether logging is enabled on the matching rule.

Actions #2

Updated by Phillip Davis over 9 years ago

Target for 2.2.2 looks good. This does not effect actual firewall functions from a security point of view - packet passing and blocking happen as per the rules. It is just nuisance noise in the firewall log with some rule combinations and traffic.

Actions #3

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2.2 to 2.2.3
Actions #4

Updated by Bill Crowder over 9 years ago

I too have ran into this. Very irritating. :)

Actions #5

Updated by Arion Lawrence over 9 years ago

Just adding a "me too". I have default rule logging turned off, but still seeing lots of entries in firewall log of "Pass" traffic destined to 224.0.0.22 with Proto IGMP.

Actions #7

Updated by Ermal Luçi over 9 years ago

This needs a patching on pf(4) that forces logging on packets with ip options dropped if not allowed and does not check the rule settings.

Line 6332 on pf.c.

Actions #8

Updated by Chris Buechler over 9 years ago

  • Assignee set to Ermal Luçi
  • Priority changed from Normal to High

this makes the firewall logs basically completely useless in some networks. Sounds like it shouldn't be too difficult to fix.

Actions #9

Updated by Ermal Luçi over 9 years ago

  • Status changed from Confirmed to Feedback

Patched.

Actions #10

Updated by Phillip Davis over 9 years ago

2.2.3-DEVELOPMENT (i386)
built on Wed Jun 10 19:49:59 CDT 2015
FreeBSD 10.1-RELEASE-p11

No more flood of unasked-for IGMP messages in the firewall log. I also tried purposely passing and logging IGMP and that shows up correctly in the Firewall log with the correct associated rule number/description.

Fixed for me.

Actions #11

Updated by Kill Bill over 9 years ago

Hooray! I finally can see something useful in firewall logs on the previously affected site once again! Sanity restored. :-)

Actions #12

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF