[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  "Monowall User List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] WAN download <> LAN upload
 Date:  Mon, 21 Jan 2008 16:28:12 -0500
On Jan 21, 2008 2:32 PM, Fred Wright <fw at well dot com> wrote:
> What makes you say that?  Routers that support IP multicast commonly send
> periodic IGMP multicasts.  My ISP does it every 125 seconds.  And when
> "IGMP" appears in the firewall log, it isn't a hallucination. :-)

It could very well be IGMP, that comment was based on the fact that
every time I've seen multicast spew from ISPs it's been routing
protocols or VRRP. I didn't pay attention to the actual address. Being, the all hosts multicast group, I guess it probably isn't
routing protocols or VRRP since RIP, OSPF, EIGRP and VRRP use
different multicast addresses.

> > the rest of the rule as is, that should work. I've done that before
> > and it worked properly.
> I have a no-log block rule for IGMP to keep those out of the log, which
> worked at one time.  But at some point, the router started including some
> sort of IP option in the IGMP multicasts, and since m0n0wall has a
> hard-coded rule to drop packets with IP options, which is ahead of all
> user rules, there's no longer any way to keep them out of the log.

Yeah if that's what is happening here, there may not be any way to
filter out that log noise. Disabling logging on the default rules may
work for the packets with IP options rule, but I haven't ever run into
a situation where I needed to try that so I'm not sure. If that works,
then add logging block/reject rules as desired if you want to log
other blocked traffic.

Use of IP options is very uncommon isn't it? I don't think I've seen
anything use them, and thought I've read in multiple places that it
isn't used.

To the original poster: if you go to status.php, and paste a couple of
the raw logs back to the list, we should have a better idea of whether
this is also what you're seeing.

On Jan 21, 2008 3:09 PM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> Block them with a non-logging filter.  I do that for ports 139, et. al.
> just to keep the logs readable.

As Fred wrote, the IP options rule comes before user defined rules, so
that won't work for packets with IP options set.