On 2021-07-07, Pierre Dupond <[email protected]> wrote: > HI All, > I am setting up a firewall with PF. The strategy used is quite common: > set block-policy return > set loginterface none > set skip on lo0 > match in all scrub (random-id reassemble tcp) > block log > > Then some rules are used to pass the authorized packets. > > One of the rule is > pass from <TV_nets> to <multicast> > pass from <multicast> to <TV_nets> > > where the table "multicast" contains all the multicast address and the table > "TV_nets" the > networks used for IT TV. > > In the log regularly the following message is produced: > Jul 07 10:44:40.049159 rule 26/(match) pass in on vlan120: 192.168.88.1 > > 224.0.0.1: > igmp query [tos 0xc0] [ttl 1] > > where vlan120 is part of an OpenBSD bridge used in egress part of the > firewall. > > A lot of similar rules (many vlan are used) and some other > pass rules are defined but only this one (26) produces a message.
What is rule 26? (pfctl -sr -R 26) It may relate to IP options, you can try allow-opts. A more detailed packet dump might give clues, e.g. from tcpdump -neipflog0 -vvXs1500
