Solved IPFW igmp query v3

fernandel

fernandel

Hi!

I have in my ipfw rules:

Code: 
$cmd 01090 deny log all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
and
Code: 
# Broadcast and Multicast
$cmd 04700 deny ip from any to 255.255.255.255
$cmd 04800 deny log ip from any to 224.0.0.0/24 in
but I do not see any logs for blocking .
In my pf rules it works:
Code: 
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
2019-10-05 06:47:08.677668 rule 12/0(match): block in on bge0: 192.168.1.1 > 224.0.0.1: igmp query v3 [max resp time 1.0s]
Thank you.
 
1. You need to add the "log" keyword to the rules. (You already did that.)
So it would be:
Bash: 
$cmd 01090 deny log all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
# Broadcast and Multicast
$cmd 04700 deny log ip from any to 255.255.255.255
$cmd 04800 deny log ip from any to 224.0.0.0/24 in

2. You need to enable the firewall logging in rc.conf:
Bash: 
sysrc firewall_logging=YES
service ipfw restart

3. Your logs will land in /var/log/security.

4. The firewalls of all jails log directly into the log of the main machine. All logs inside the jails will be empty. This is probably due to the fact that the packet filtering happens inside the kernel and the jails do not have kernels of their own - they run inside the host's kernel.
So in order to differentiate between host's and jail's firewall logs I simply use different rule numbers inside the jails. So when I see which number is the rule, I know if it's in a jail or on the main host.
 
roccobaroccoSC said:
1. You need to add the "log" keyword to the rules. (You already did that.)
So it would be:
Bash: 
$cmd 01090 deny log all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
# Broadcast and Multicast
$cmd 04700 deny log ip from any to 255.255.255.255
$cmd 04800 deny log ip from any to 224.0.0.0/24 in

2. You need to enable the firewall logging in rc.conf:
Bash: 
sysrc firewall_logging=YES
service ipfw restart

3. Your logs will land in /var/log/security.

4. The firewalls of all jails log directly into the log of the main machine. All logs inside the jails will be empty. This is probably due to the fact that the packet filtering happens inside the kernel and the jails do not have kernels of their own - they run inside the host's kernel.
So in order to differentiate between host's and jail's firewall logs I simply use different rule numbers inside the jails. So when I see which number is the rule, I know if it's in a jail or on the main host.
Click to expand...
I don't using jails and i /etc/rc.conf I have
Code: 
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_quiet="YES"
firewall_logdeny="YES"
firewall_logging="YES"
Thank you
BTW: It's blocking all the time 192.0.73.2 when I open FreeBSD Forum
 
What's your exact problem? If you enable firewall logging, then the log appears in /var/log/security. Doesn't it?

You cannot analyze IPFW logs via pflog0 because it works with pf, not ipfw. pflog(4)
 
roccobaroccoSC said:
Oh, P.S. You probably want to
Code: 
sysrc firewall_quiet=NO
Click to expand...
The problem is because I don't have anything in /var/log/security that ipfw blocking ip 224.0.0.1: igmp query v3. I try to switch from pf to ipfw and I try to setup that it will work like pf.
 
You could put a rule right in the beginning of the rules that logs everything.
Code: 
ipfw add 1 count log all from any to any

This MUST log everything that passes through the firewall. If not - I don't know.
 
Code: 
$cmd 00700 deny log all from 192.168.0.0/16 to any in via $pif  #RFC 1918 private IP

In the above line I didn't have "log".
and for igmp should be:
Code: 
deny log igmp from any to 224.0.0.0/4 in via $pif
 
You must log in or register to reply here.
Back
Top