On Wed, Jan 01, 2020 at 12:33:30PM -0500, Sonic wrote:
> The pflogs on my firewall and on a new system I'm installing (-current
> with pretty much a default pf.conf) are flooded with igmp query
> entries. Neither system has a log rule for such action.
[...]
> Reason?
To quote pf.conf(5) manual (about 'allow-opts'):
By default, packets with IPv4 options or IPv6 hop-by-hop or
destination options header are blocked. When allow-opts is
specified for a pass rule, packets that pass the filter based on
that rule (last matching) do so even if they contain options.
It means that, as the rules you have doesn't have 'allow-opts', igmp packets
(which often have such ip-options), aren't in any rules. And by default, packets
with ip-options are block-logged.
> Solution?
I suppose that adding an explicit rule with allow-opts should do the trick.
depending your need (block or allow):
block return proto igmp to 224/4 allow-opts
or
pass proto igmp to 224/4 allow-opts
Please note it is untested.
Thanks.
--
Sebastien Marie
No comments:
Post a Comment