[pfSense] Pflog undocumented rule (https://forum.pfsense.org/index.php?topic=52887.0)

Fri, 24 Oct 2014 18:10:27 -0700 

About a year ago there was a post showing the RFC 5771 packets in the pflog and 
the OP did not have any logging rules.

I have a logging rule for my blocks, and this is polluting the log.

Where do they come from and how do I eliminate them?

em0=WAN
em1=LAN
re0=MGMT

NAT is enabled from LAN to WAN

No.     Time                Source                Destination           Port   
Protocol Length Info
     50 2014-10-24 21:01:53 0.0.0.0               224.0.0.1                    
IGMPv2   96     [pass re0/0] Membership Query, general

Frame 50: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on 
interface 0
    Interface id: 0 (-)
    Encapsulation type: OpenBSD PF Firewall logs (39)
    Arrival Time: Oct 24, 2014 21:01:53.220023000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1414198913.220023000 seconds
    [Time delta from previous captured frame: 120.692432000 seconds]
    [Time delta from previous displayed frame: 124.992990000 seconds]
    [Time since reference or first frame: 459.626189000 seconds]
    Frame Number: 50
    Frame Length: 96 bytes (768 bits)
    Capture Length: 96 bytes (768 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: pflog:ip:igmp]
    [Coloring Rule Name: Routing]
    [Coloring Rule String: hsrp || eigrp || ospf || bgp || cdp || vrrp || carp 
|| gvrp || igmp || ismp]
PF Log IPv4 pass on re0 by rule 0
    Header Length: 61
    Address Family: IPv4 (2)
    Action: pass (0)
    Reason: ip-option (8)
    Interface: re0
    Ruleset:
    Rule Number: 72
    Sub Rule Number: -1
    UID: -1
    PID: -1601830656
    Rule UID: 0
    Rule PID: 1550778368
    Direction: in (1)
    Padding: 000000
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 224.0.0.1 (224.0.0.1)
    Version: 4
    Header Length: 24 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 
0x00: Not-ECT (Not ECN-Capable Transport))
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable 
Transport) (0x00)
    Total Length: 32
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (2)
    Header checksum: 0x0417 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 0.0.0.0 (0.0.0.0)
    Destination: 224.0.0.1 (224.0.0.1)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Options: (4 bytes), Router Alert
        Router Alert (4 bytes): Router shall examine packet (0)
            Type: 148
                1... .... = Copy on fragmentation: Yes
                .00. .... = Class: Control (0)
                ...1 0100 = Number: Router Alert (20)
            Length: 4
            Router Alert: Router shall examine packet (0)
Internet Group Management Protocol
    [IGMP Version: 2]
    Type: Membership Query (0x11)
    Max Resp Time: 10.0 sec (0x64)
    Header checksum: 0xee9b [correct]
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  3d 02 00 08 72 65 30 00 00 00 00 00 00 00 00 00   =...re0.........
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 48 ff ff ff ff ff ff ff ff   .......H........
0030  a0 86 01 00 00 00 00 00 5c 6f 00 00 01 00 00 00   ........\o......
0040  46 c0 00 20 00 00 40 00 01 02 04 17 00 00 00 00   F.. ..@.........
0050  e0 00 00 01 94 04 00 00 11 64 ee 9b 00 00 00 00   .........d......

No.     Time                Source                Destination           Port   
Protocol Length Info
     51 2014-10-24 21:01:53 0.0.0.0               224.0.0.1                    
IGMPv2   96     [pass em1/0] Membership Query, general

Frame 51: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on 
interface 0
    Interface id: 0 (-)
    Encapsulation type: OpenBSD PF Firewall logs (39)
    Arrival Time: Oct 24, 2014 21:01:53.220090000 Eastern Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1414198913.220090000 seconds
    [Time delta from previous captured frame: 0.000067000 seconds]
    [Time delta from previous displayed frame: 0.000067000 seconds]
    [Time since reference or first frame: 459.626256000 seconds]
    Frame Number: 51
    Frame Length: 96 bytes (768 bits)
    Capture Length: 96 bytes (768 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: pflog:ip:igmp]
    [Coloring Rule Name: Routing]
    [Coloring Rule String: hsrp || eigrp || ospf || bgp || cdp || vrrp || carp 
|| gvrp || igmp || ismp]
PF Log IPv4 pass on em1 by rule 0
    Header Length: 61
    Address Family: IPv4 (2)
    Action: pass (0)
    Reason: ip-option (8)
    Interface: em1
    Ruleset:
    Rule Number: 72
    Sub Rule Number: -1
    UID: -1
    PID: -1601830656
    Rule UID: 0
    Rule PID: 1550778368
    Direction: in (1)
    Padding: 000000
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 224.0.0.1 (224.0.0.1)
    Version: 4
    Header Length: 24 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 
0x00: Not-ECT (Not ECN-Capable Transport))
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable 
Transport) (0x00)
    Total Length: 32
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (2)
    Header checksum: 0x0417 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 0.0.0.0 (0.0.0.0)
    Destination: 224.0.0.1 (224.0.0.1)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Options: (4 bytes), Router Alert
        Router Alert (4 bytes): Router shall examine packet (0)
            Type: 148
                1... .... = Copy on fragmentation: Yes
                .00. .... = Class: Control (0)
                ...1 0100 = Number: Router Alert (20)
            Length: 4
            Router Alert: Router shall examine packet (0)
Internet Group Management Protocol
    [IGMP Version: 2]
    Type: Membership Query (0x11)
    Max Resp Time: 10.0 sec (0x64)
    Header checksum: 0xee9b [correct]
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  3d 02 00 08 65 6d 31 00 00 00 00 00 00 00 00 00   =...em1.........
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 48 ff ff ff ff ff ff ff ff   .......H........
0030  a0 86 01 00 00 00 00 00 5c 6f 00 00 01 00 00 00   ........\o......
0040  46 c0 00 20 00 00 40 00 01 02 04 17 00 00 00 00   F.. ..@.........
0050  e0 00 00 01 94 04 00 00 11 64 ee 9b 00 00 00 00   .........d......

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Reply via email to