[ previous ] [ next ] [ threads ]
 
 From:  Michel Servaes <michel at mcmc dot be>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] WAN download <> LAN upload
 Date:  Mon, 21 Jan 2008 22:55:41 +0100 
Jan 21 22:34:34 gw1 ipmon[112]: 22:34:34.329898 rl0 @0:18 b 10.132.80.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:34:34 gw1 ipmon[112]: 22:34:34.330874 rl0 @0:18 b 10.173.192.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:34:34 gw1 ipmon[112]: 22:34:34.331830 rl0 @0:20 b 172.22.16.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:34:34 gw1 ipmon[112]: 22:34:34.332313 rl0 @0:18 b 10.50.0.1 -> 
224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
...
Jan 21 22:49:09 gw1 ipmon[112]: 22:49:08.577563 rl0 @0:20 b 172.22.16.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:49:09 gw1 ipmon[112]: 22:49:08.578537 rl0 @0:18 b 10.173.192.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:49:09 gw1 ipmon[112]: 22:49:08.579510 rl0 @0:18 b 10.132.80.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
...
Jan 21 22:53:05 gw1 ipmon[112]: 22:53:05.006321 2x re0 @0:3 b 
172.16.0.254 -> 224.0.0.1 PR igmp len 24 (36) IN low-ttl multicast  **** ???
Jan 21 22:53:18 gw1 ipmon[112]: 22:53:18.643674 rl0 @0:18 b 10.50.0.1 -> 
224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:53:18 gw1 ipmon[112]: 22:53:18.644158 rl0 @0:20 b 172.22.16.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:53:18 gw1 ipmon[112]: 22:53:18.645129 rl0 @0:18 b 10.173.192.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast
Jan 21 22:53:18 gw1 ipmon[112]: 22:53:18.646103 rl0 @0:18 b 10.132.80.1 
-> 224.0.0.1 PR igmp len 20 (28) IN low-ttl multicast


What is the "2x re0" ???


My LAN Setup :

172.16.0.0/24 LAN   - my lan
172.17.0.0/24 OPT1 - my neighbours lan
172.18.0.0/28 PPTP  - a backup way to enter my lan (normally an IPSEC is 
running to my office)
172.19.0.0/24 WLAN (without WEP/WPA security, but with CARP active on it)


Hope this is the info you were asking for ?


Chris Buechler schreef:
> On Jan 21, 2008 2:32 PM, Fred Wright <fw at well dot com> wrote:
>   
>> What makes you say that?  Routers that support IP multicast commonly send
>> periodic IGMP multicasts.  My ISP does it every 125 seconds.  And when
>> "IGMP" appears in the firewall log, it isn't a hallucination. :-)
>>
>>     
>
> It could very well be IGMP, that comment was based on the fact that
> every time I've seen multicast spew from ISPs it's been routing
> protocols or VRRP. I didn't pay attention to the actual address. Being
> 224.0.0.1, the all hosts multicast group, I guess it probably isn't
> routing protocols or VRRP since RIP, OSPF, EIGRP and VRRP use
> different multicast addresses.
>
>
>   
>>> the rest of the rule as is, that should work. I've done that before
>>> and it worked properly.
>>>       
>> I have a no-log block rule for IGMP to keep those out of the log, which
>> worked at one time.  But at some point, the router started including some
>> sort of IP option in the IGMP multicasts, and since m0n0wall has a
>> hard-coded rule to drop packets with IP options, which is ahead of all
>> user rules, there's no longer any way to keep them out of the log.
>>
>>     
>
> Yeah if that's what is happening here, there may not be any way to
> filter out that log noise. Disabling logging on the default rules may
> work for the packets with IP options rule, but I haven't ever run into
> a situation where I needed to try that so I'm not sure. If that works,
> then add logging block/reject rules as desired if you want to log
> other blocked traffic.
>
> Use of IP options is very uncommon isn't it? I don't think I've seen
> anything use them, and thought I've read in multiple places that it
> isn't used.
>
> To the original poster: if you go to status.php, and paste a couple of
> the raw logs back to the list, we should have a better idea of whether
> this is also what you're seeing.
>
>
> On Jan 21, 2008 3:09 PM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
>   
>> Block them with a non-logging filter.  I do that for ports 139, et. al.
>> just to keep the logs readable.
>>
>>     
>
> As Fred wrote, the IP options rule comes before user defined rules, so
> that won't work for packets with IP options set.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>