Project

General

Profile

Bug #4383

Firewall log contains IGMP for rules that do not have logging on

Added by Phillip Davis about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Logging
Target version:
Start date:
02/06/2015
Due date:
% Done:

0%

Affected version:
2.2
Affected Architecture:

History

#1 Updated by Chris Buechler almost 2 years ago

  • Status changed from New to Confirmed
  • Target version set to 2.2.2

I suspect the root issue here is logging of passed traffic with IP options regardless of whether logging is enabled on the matching rule.

#2 Updated by Phillip Davis almost 2 years ago

Target for 2.2.2 looks good. This does not effect actual firewall functions from a security point of view - packet passing and blocking happen as per the rules. It is just nuisance noise in the firewall log with some rule combinations and traffic.

#3 Updated by Chris Buechler almost 2 years ago

  • Target version changed from 2.2.2 to 2.2.3

#4 Updated by Bill Crowder almost 2 years ago

I too have ran into this. Very irritating. :)

#5 Updated by Arion Lawrence almost 2 years ago

Just adding a "me too". I have default rule logging turned off, but still seeing lots of entries in firewall log of "Pass" traffic destined to 224.0.0.22 with Proto IGMP.

#7 Updated by Ermal Luçi over 1 year ago

This needs a patching on pf(4) that forces logging on packets with ip options dropped if not allowed and does not check the rule settings.

Line 6332 on pf.c.

#8 Updated by Chris Buechler over 1 year ago

  • Assignee set to Ermal Luçi
  • Priority changed from Normal to High

this makes the firewall logs basically completely useless in some networks. Sounds like it shouldn't be too difficult to fix.

#9 Updated by Ermal Luçi over 1 year ago

  • Status changed from Confirmed to Feedback

Patched.

#10 Updated by Phillip Davis over 1 year ago

2.2.3-DEVELOPMENT (i386)
built on Wed Jun 10 19:49:59 CDT 2015
FreeBSD 10.1-RELEASE-p11

No more flood of unasked-for IGMP messages in the firewall log. I also tried purposely passing and logging IGMP and that shows up correctly in the Firewall log with the correct associated rule number/description.

Fixed for me.

#11 Updated by Kill Bill over 1 year ago

Hooray! I finally can see something useful in firewall logs on the previously affected site once again! Sanity restored. :-)

#12 Updated by Chris Buechler over 1 year ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF