[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  Timothy Jans <info at hyperdrive dot be>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IGMP is filling up my Firewall Logs
 Date:  Sat, 11 Sep 2004 19:46:54 -0700
Timothy,

> I now did uncheck "Log packets blocked by the default rule" and created
> a rule to block TCP/UDP on WAN with logging enabled.
> This kind of works but it's not a very clean sollution. Will I still be
> able to open ports on my WAN as I created a rule before to block everything?

You can open ports on WAN as long as the rules appear before the
all-block rule.  m0n0 goes through the rules in the order listed, so
as long as you move the allow rules up top then it should work.


> I did try to create a rule to block IGMP first (with no logging) as Fred
> mentioned, but the default rule would still log IGMP packets.

Correct me if I'm wrong, because I can't recreate the situation you
describe here... How can the implicit default block rule (logged) for
IGMP packets that have been blocked by an explicit rule (without
logging) show up in the logs?  AFAIK, once an explicit block rule has
been hit, m0n0 does everything that is requested there, including not
logging, then stops.  Are you sure you don't have another block rule
above it or something that's logging?  Or you accidentally selected
the wrong interface (or specified an IP) to block IGMP on?


> I could always allow IGMP, that way the packets wouldn't get logged, but
> can allowing IGMP be a security risk?

If the above is true, where an explicit block rule that says DON'T LOG
ends up falling in your logs anyway, I can't see why an explicit allow
rule that says DON'T LOG wouldn't end up in your logs also...

AFAIK in terms of security, IGMP packets are pretty harmless.  They
are just probe/update packets for multicasting.  I'm pretty sure m0n0
just drops them.  I'm not aware of any exploits that make use of IGMP.
 Here's a link that describes what IGMP is/does:
http://www.et.put.poznan.pl/tcpip/igmp/igmp_intro.htm



/sylikc