[ previous ] [ next ] [ threads ]
 
 From:  Timothy Jans <info at hyperdrive dot be>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  sylikc at gmail dot com
 Subject:  Re: [m0n0wall] IGMP is filling up my Firewall Logs
 Date:  Sun, 12 Sep 2004 13:07:29 +0200 
Indeed, when I allow IGMP, they will still end up in my logs.
Looks like when "implicit logging (default rule)" is enabled m0n0wall 
ignores the non-log of the explicit rule.

-Timothy

sylikc wrote:

>Timothy,
>
>  
>
>>I now did uncheck "Log packets blocked by the default rule" and created
>>a rule to block TCP/UDP on WAN with logging enabled.
>>This kind of works but it's not a very clean sollution. Will I still be
>>able to open ports on my WAN as I created a rule before to block everything?
>>    
>>
>
>You can open ports on WAN as long as the rules appear before the
>all-block rule.  m0n0 goes through the rules in the order listed, so
>as long as you move the allow rules up top then it should work.
>
>
>  
>
>>I did try to create a rule to block IGMP first (with no logging) as Fred
>>mentioned, but the default rule would still log IGMP packets.
>>    
>>
>
>Correct me if I'm wrong, because I can't recreate the situation you
>describe here... How can the implicit default block rule (logged) for
>IGMP packets that have been blocked by an explicit rule (without
>logging) show up in the logs?  AFAIK, once an explicit block rule has
>been hit, m0n0 does everything that is requested there, including not
>logging, then stops.  Are you sure you don't have another block rule
>above it or something that's logging?  Or you accidentally selected
>the wrong interface (or specified an IP) to block IGMP on?
>
>
>  
>
>>I could always allow IGMP, that way the packets wouldn't get logged, but
>>can allowing IGMP be a security risk?
>>    
>>
>
>If the above is true, where an explicit block rule that says DON'T LOG
>ends up falling in your logs anyway, I can't see why an explicit allow
>rule that says DON'T LOG wouldn't end up in your logs also...
>
>AFAIK in terms of security, IGMP packets are pretty harmless.  They
>are just probe/update packets for multicasting.  I'm pretty sure m0n0
>just drops them.  I'm not aware of any exploits that make use of IGMP.
> Here's a link that describes what IGMP is/does:
>http://www.et.put.poznan.pl/tcpip/igmp/igmp_intro.htm
>
>
>
>/sylikc
>
>
>
>  
>