Le Fri, 9 Jul 2021 07:39:26 -0000 (UTC), Stuart Henderson <[email protected]> a écrit :
> On 2021-07-07, Pierre Dupond <[email protected]> wrote: > > HI All, > > I am setting up a firewall with PF. The strategy used is quite > > common: set block-policy return > > set loginterface none > > set skip on lo0 > > match in all scrub (random-id reassemble tcp) > > block log > > > > Then some rules are used to pass the authorized packets. > > > > One of the rule is > > pass from <TV_nets> to <multicast> > > pass from <multicast> to <TV_nets> > > > > where the table "multicast" contains all the multicast address and > > the table "TV_nets" the networks used for IT TV. > > > > In the log regularly the following message is produced: > > Jul 07 10:44:40.049159 rule 26/(match) pass in on vlan120: > > 192.168.88.1 > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] > > > > where vlan120 is part of an OpenBSD bridge used in egress part of > > the firewall. > > > > A lot of similar rules (many vlan are used) and some other > > pass rules are defined but only this one (26) produces a message. > > What is rule 26? (pfctl -sr -R 26) > > It may relate to IP options, you can try allow-opts. > > A more detailed packet dump might give clues, e.g. from > tcpdump -neipflog0 -vvXs1500 > > Thanks for the answer and the clue about how to get exactly a rule with a specific number. I have looked for a long time how to do it without really finding a good solution (pfctl -s | head -26 is not as precise). I will be able now to give more precise information.
