[ previous ] [ next ] [ threads ]
 
 From:  "Paul Dugas" <paul at dugas dot cc>
 To:  "m0n0wall Mailing List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Block IGMP
 Date:  Mon, 6 Jun 2005 13:00:23 -0400 (EDT)
On Mon, June 6, 2005 12:19 pm, Peter Allgeyer said:
> For the second one: Please give us an output of "ipfstat -nio" and the
> rule number the packet was blocked (see posting form Chris).

Am I interpreting this right?  I think it's this rule?

   @3 block in log quick from any to any with ipopt

I've also grabbed the packets via ethereal and attached the decode.  If
I'm reading the man page on ifp/ipopt and the ethereal dumps correctly,
m0n0 doesn't want any IP Options but the packets have a "Router Alert" bit
set.

I should mention that the 10.10.99.1 interface on the other router is not
actually connected to anything at the moment.  I guess this is why it's
balking so much.

Thanks in advance,

Paul

The "noise" entries from my syslog server:
---------------------
sis0 @0:3 b 10.10.99.1 -> 224.0.0.1 PR igmp len 24 (32) IN
sis0 @0:3 b 10.10.2.4 -> 224.0.0.1 PR igmp len 24 (32) IN
sis0 @0:3 b 10.10.99.1 -> 224.0.0.1 PR igmp len 24 (32) IN

Output of 'ipfstat -nio':
---------------------
@1 pass out quick on lo0 from any to any
@2 pass out quick on sis0 proto udp from 10.10.2.1/32 port = 67 to any
port = 68
@3 pass out quick on sis2 proto udp from 10.10.3.1/32 port = 67 to any
port = 68
@4 pass out quick on sis0 from 10.10.2.0/24 to 10.39.39.0/24
@5 pass out quick on sis0 from 10.39.39.0/24 to 10.10.2.0/24
@6 pass out quick on sis0 from 10.10.2.0/24 to 143.100.100.0/24
@7 pass out quick on sis0 from 143.100.100.0/24 to 10.10.2.0/24
@8 pass out quick on sis0 from 10.10.2.0/24 to 143.100.184.0/23
@9 pass out quick on sis0 from 143.100.184.0/23 to 10.10.2.0/24
@10 pass out quick on sis0 from 10.10.2.0/24 to 143.100.38.0/24
@11 pass out quick on sis0 from 143.100.38.0/24 to 10.10.2.0/24
@12 pass out quick on sis0 from 10.10.2.0/24 to 143.100.99.0/24
@13 pass out quick on sis0 from 143.100.99.0/24 to 10.10.2.0/24
@14 pass out quick on sis0 from 10.10.2.0/24 to 143.100.101.0/24
@15 pass out quick on sis0 from 143.100.101.0/24 to 10.10.2.0/24
@16 pass out quick on ng0 proto udp from any port = 68 to any port = 67
@17 pass out quick on sis0 from any to any keep state
@18 pass out quick on ng0 from any to any keep state
@19 pass out quick on sis2 from any to any keep state
@20 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis0 proto udp from any port = 68 to
255.255.255.255/32 port = 67
@5 pass in quick on sis0 proto udp from any port = 68 to 10.10.2.1/32 port
= 67
@6 pass in quick on sis2 proto udp from any port = 68 to
255.255.255.255/32 port = 67
@7 pass in quick on sis2 proto udp from any port = 68 to 10.10.3.1/32 port
= 67
@8 skip 2 in on sis0 from any to 10.10.2.1/32
@9 pass in quick on sis0 from 10.10.2.0/24 to 10.39.39.0/24
@10 pass in quick on sis0 from 10.39.39.0/24 to 10.10.2.0/24
@11 pass in quick on sis0 from 10.10.2.0/24 to 143.100.100.0/24
@12 pass in quick on sis0 from 143.100.100.0/24 to 10.10.2.0/24
@13 pass in quick on sis0 from 10.10.2.0/24 to 143.100.184.0/23
@14 pass in quick on sis0 from 143.100.184.0/23 to 10.10.2.0/24
@15 pass in quick on sis0 from 10.10.2.0/24 to 143.100.38.0/24
@16 pass in quick on sis0 from 143.100.38.0/24 to 10.10.2.0/24
@17 pass in quick on sis0 from 10.10.2.0/24 to 143.100.99.0/24
@18 pass in quick on sis0 from 143.100.99.0/24 to 10.10.2.0/24
@19 pass in quick on sis0 from 10.10.2.0/24 to 143.100.101.0/24
@20 pass in quick on sis0 from 143.100.101.0/24 to 10.10.2.0/24
@21 block in log quick on ng0 from 10.10.2.0/24 to any
@22 block in log quick on ng0 from 10.10.3.0/24 to any
@23 block in log quick on ng0 proto udp from any port = 67 to 10.10.2.0/24
port = 68
@24 pass in quick on ng0 proto udp from any port = 67 to any port = 68
@25 skip 7 in on sis0 from 10.39.39.0/24 to any
@26 skip 6 in on sis0 from 143.100.100.0/24 to any
@27 skip 5 in on sis0 from 143.100.184.0/23 to any
@28 skip 4 in on sis0 from 143.100.38.0/24 to any
@29 skip 3 in on sis0 from 143.100.99.0/24 to any
@30 skip 2 in on sis0 from 143.100.101.0/24 to any
@31 skip 1 in on sis0 from 10.10.2.0/24 to any
@32 block in log quick on sis0 from any to any
@33 skip 1 in on sis2 from 10.10.3.0/24 to any
@34 block in log quick on sis2 from any to any
@35 block in log quick on ng0 from 10.0.0.0/8 to any
@36 block in log quick on ng0 from 127.0.0.0/8 to any
@37 block in log quick on ng0 from 172.16.0.0/12 to any
@38 block in log quick on ng0 from 192.168.0.0/16 to any
@39 skip 1 in proto tcp from any to any flags S/FSRA
@40 block in log quick proto tcp from any to any
@41 block in log quick on sis0 from any to any head 100
@1 pass in quick from 10.10.2.0/24 to 10.10.2.1/32 keep state group 100
@2 block in quick proto igmp from any to any group 100
@3 pass in quick from 10.10.2.0/24 to any keep state keep frags group 100
@42 block in log quick on ng0 from any to any head 200
@1 pass in quick proto gre from any to 69.40.94.52/32 keep state group 200
@2 pass in quick proto tcp from any to 69.40.94.52/32 port = 1723 keep
state group 200
@3 block in log first quick proto tcp from 192.50.74.27/32 to any group 200
@4 block in quick proto tcp from any to any port = 445 group 200
@5 block in quick proto tcp/udp from any to any port 134 >< 140 group 200
@6 pass in quick proto tcp from any to 10.10.2.5/32 port = 80 keep state
group 200
@7 pass in quick proto tcp from any to 10.10.2.5/32 port = 443 keep state
group 200
@8 pass in quick proto tcp from any to 10.10.2.5/32 port = 22 keep state
group 200
@9 pass in quick proto tcp from any to 10.10.2.5/32 port = 25 keep state
group 200
@10 pass in quick proto tcp from any to 10.10.2.5/32 port = 993 keep state
group 200
@11 pass in quick proto tcp from any to 10.10.2.5/32 port 6880 >< 7000
keep state group 200
@43 block in log quick on sis2 from any to any head 300
@1 pass in quick from 10.10.3.0/24 to any keep state group 300
@44 block in log quick from any to any

-- 
Paul Dugas, Computer Engineer           Dugas Enterprises, LLC
paul at dugas dot cc     phone: 404-932-1355   522 Black Canyon Park
http://dugas.cc     fax: 866-751-6494   Canton, GA 30114 USA
No.     Time        Source                Destination           Protocol Info
    109 46.283451   10.10.99.1            224.0.0.1             IGMP     V2 Membership Query

Frame 109 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun  6, 2005 12:41:58.983531000
    Time delta from previous packet: 0.530079000 seconds
    Time since reference or first frame: 46.283451000 seconds
    Frame Number: 109
    Packet Length: 60 bytes
    Capture Length: 60 bytes
    Protocols in frame: eth:ip:igmp
Ethernet II, Src: 00:0c:41:8f:76:35, Dst: 01:00:5e:00:00:01
    Destination: 01:00:5e:00:00:01 (01:00:5e:00:00:01)
    Source: 00:0c:41:8f:76:35 (LinksysG_8f:76:35)
    Type: IP (0x0800)
    Trailer: 000194040000110AEEF500000000
Internet Protocol, Src Addr: 10.10.99.1 (10.10.99.1), Dst Addr: 224.0.0.1 (224.0.0.1)
    Version: 4
    Header length: 24 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 32
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (0x02)
    Header checksum: 0x97cb (correct)
    Source: 10.10.99.1 (10.10.99.1)
    Destination: 224.0.0.1 (224.0.0.1)
    Options: (4 bytes)
        Router Alert: Every router examines packet
Internet Group Management Protocol
    IGMP Version: 2
    Type: Membership Query (0x11)
    Max Response Time: 1.0 sec (0x0a)
    Header checksum: 0xeef5 (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  01 00 5e 00 00 01 00 0c 41 8f 76 35 08 00 46 00   ..^.....A.v5..F.
0010  00 20 00 00 40 00 01 02 97 cb 0a 0a 63 01 e0 00   . ..@.......c...
0020  00 01 94 04 00 00 11 0a ee f5 00 00 00 00 00 01   ................
0030  94 04 00 00 11 0a ee f5 00 00 00 00               ............
No.     Time        Source                Destination           Protocol Info
    110 46.283621   10.10.2.4             224.0.0.1             IGMP     V2 Membership Query

Frame 110 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun  6, 2005 12:41:58.983701000
    Time delta from previous packet: 0.000170000 seconds
    Time since reference or first frame: 46.283621000 seconds
    Frame Number: 110
    Packet Length: 60 bytes
    Capture Length: 60 bytes
    Protocols in frame: eth:ip:igmp
Ethernet II, Src: 00:0c:41:8f:76:35, Dst: 01:00:5e:00:00:01
    Destination: 01:00:5e:00:00:01 (01:00:5e:00:00:01)
    Source: 00:0c:41:8f:76:35 (LinksysG_8f:76:35)
    Type: IP (0x0800)
    Trailer: 000194040000110AEEF500000000
Internet Protocol, Src Addr: 10.10.2.4 (10.10.2.4), Dst Addr: 224.0.0.1 (224.0.0.1)
    Version: 4
    Header length: 24 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 32
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (0x02)
    Header checksum: 0xf8c8 (correct)
    Source: 10.10.2.4 (10.10.2.4)
    Destination: 224.0.0.1 (224.0.0.1)
    Options: (4 bytes)
        Router Alert: Every router examines packet
Internet Group Management Protocol
    IGMP Version: 2
    Type: Membership Query (0x11)
    Max Response Time: 1.0 sec (0x0a)
    Header checksum: 0xeef5 (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  01 00 5e 00 00 01 00 0c 41 8f 76 35 08 00 46 00   ..^.....A.v5..F.
0010  00 20 00 00 40 00 01 02 f8 c8 0a 0a 02 04 e0 00   . ..@...........
0020  00 01 94 04 00 00 11 0a ee f5 00 00 00 00 00 01   ................
0030  94 04 00 00 11 0a ee f5 00 00 00 00               ............
No.     Time        Source                Destination           Protocol Info
    111 46.283685   10.10.99.1            224.0.0.1             IGMP     V2 Membership Query

Frame 111 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun  6, 2005 12:41:58.983765000
    Time delta from previous packet: 0.000064000 seconds
    Time since reference or first frame: 46.283685000 seconds
    Frame Number: 111
    Packet Length: 60 bytes
    Capture Length: 60 bytes
    Protocols in frame: eth:ip:igmp
Ethernet II, Src: 00:0c:41:8f:76:34, Dst: 01:00:5e:00:00:01
    Destination: 01:00:5e:00:00:01 (01:00:5e:00:00:01)
    Source: 00:0c:41:8f:76:34 (LinksysG_8f:76:34)
    Type: IP (0x0800)
    Trailer: 000194040000110AEEF500000000
Internet Protocol, Src Addr: 10.10.99.1 (10.10.99.1), Dst Addr: 224.0.0.1 (224.0.0.1)
    Version: 4
    Header length: 24 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 32
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (0x02)
    Header checksum: 0x97cb (correct)
    Source: 10.10.99.1 (10.10.99.1)
    Destination: 224.0.0.1 (224.0.0.1)
    Options: (4 bytes)
        Router Alert: Every router examines packet
Internet Group Management Protocol
    IGMP Version: 2
    Type: Membership Query (0x11)
    Max Response Time: 1.0 sec (0x0a)
    Header checksum: 0xeef5 (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  01 00 5e 00 00 01 00 0c 41 8f 76 34 08 00 46 00   ..^.....A.v4..F.
0010  00 20 00 00 40 00 01 02 97 cb 0a 0a 63 01 e0 00   . ..@.......c...
0020  00 01 94 04 00 00 11 0a ee f5 00 00 00 00 00 01   ................
0030  94 04 00 00 11 0a ee f5 00 00 00 00               ............