[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] WAN download <> LAN upload
 Date:  Sun, 27 Jan 2008 19:03:06 -0800 (PST)
On Mon, 21 Jan 2008, Chris Buechler wrote:
> On Jan 21, 2008 2:32 PM, Fred Wright <fw at well dot com> wrote:
> >
> > What makes you say that?  Routers that support IP multicast commonly send
> > periodic IGMP multicasts.  My ISP does it every 125 seconds.  And when
> > "IGMP" appears in the firewall log, it isn't a hallucination. :-)
> >
> It could very well be IGMP, that comment was based on the fact that
> every time I've seen multicast spew from ISPs it's been routing
> protocols or VRRP. I didn't pay attention to the actual address. Being
>, the all hosts multicast group, I guess it probably isn't
> routing protocols or VRRP since RIP, OSPF, EIGRP and VRRP use
> different multicast addresses.

Well, I don't think the decoding of the IP protocol field actually
lies. :-)

> > I have a no-log block rule for IGMP to keep those out of the log, which
> > worked at one time.  But at some point, the router started including some
> > sort of IP option in the IGMP multicasts, and since m0n0wall has a
> > hard-coded rule to drop packets with IP options, which is ahead of all
> > user rules, there's no longer any way to keep them out of the log.
> >
> Yeah if that's what is happening here, there may not be any way to
> filter out that log noise. Disabling logging on the default rules may
> work for the packets with IP options rule, but I haven't ever run into
> a situation where I needed to try that so I'm not sure. If that works,
> then add logging block/reject rules as desired if you want to log
> other blocked traffic.

I suspect that would work, but it's a pretty big hammer. :-)

> Use of IP options is very uncommon isn't it? I don't think I've seen
> anything use them, and thought I've read in multiple places that it
> isn't used.

Unfortunately there's so much paranoia about IP options, mostly in regard
to the misleadingly named "source routing" options, that blocking all
packets with any IP options at all (rather than actually paying attention
to which options are present) has become common, which in turn makes them
hard to rely on.

Meanwhile, IGMPv2 (RFC2236) and IGMPv3 (RFC3376) *require* the use of the
Router Alert option (RFC2113), putting multicast on a collision course
with overly simplistic filters.

					Fred Wright