Bug #4383

Firewall log contains IGMP for rules that do not have logging on

Added by Phillip Davis about 5 years ago. Updated over 4 years ago.

Ermal Luçi
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


#1 Updated by Chris Buechler almost 5 years ago

  • Status changed from New to Confirmed
  • Target version set to 2.2.2

I suspect the root issue here is logging of passed traffic with IP options regardless of whether logging is enabled on the matching rule.

#2 Updated by Phillip Davis almost 5 years ago

Target for 2.2.2 looks good. This does not effect actual firewall functions from a security point of view - packet passing and blocking happen as per the rules. It is just nuisance noise in the firewall log with some rule combinations and traffic.

#3 Updated by Chris Buechler almost 5 years ago

  • Target version changed from 2.2.2 to 2.2.3

#4 Updated by Bill Crowder almost 5 years ago

I too have ran into this. Very irritating. :)

#5 Updated by Arion Lawrence almost 5 years ago

Just adding a "me too". I have default rule logging turned off, but still seeing lots of entries in firewall log of "Pass" traffic destined to with Proto IGMP.

#7 Updated by Ermal Luçi over 4 years ago

This needs a patching on pf(4) that forces logging on packets with ip options dropped if not allowed and does not check the rule settings.

Line 6332 on pf.c.

#8 Updated by Chris Buechler over 4 years ago

  • Assignee set to Ermal Luçi
  • Priority changed from Normal to High

this makes the firewall logs basically completely useless in some networks. Sounds like it shouldn't be too difficult to fix.

#9 Updated by Ermal Luçi over 4 years ago

  • Status changed from Confirmed to Feedback


#10 Updated by Phillip Davis over 4 years ago

2.2.3-DEVELOPMENT (i386)
built on Wed Jun 10 19:49:59 CDT 2015
FreeBSD 10.1-RELEASE-p11

No more flood of unasked-for IGMP messages in the firewall log. I also tried purposely passing and logging IGMP and that shows up correctly in the Firewall log with the correct associated rule number/description.

Fixed for me.

#11 Updated by Kill Bill over 4 years ago

Hooray! I finally can see something useful in firewall logs on the previously affected site once again! Sanity restored. :-)

#12 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved


Also available in: Atom PDF