Re: pflog flooded with igmp queries

[Sonic]

On Thu, Jan 2, 2020 at 12:34 PM Otto Moerbeek  wrote:
> > Can't seem to find that specific info anywhere.
>
> see man pf.conf and then search for allow-opts

I see that it says they are blocked, but nothing to indicate they are
also automatically logged.

Chris

Re: pflog flooded with igmp queries

[Otto Moerbeek]

On Thu, Jan 02, 2020 at 12:27:40PM -0500, Sonic wrote:

> On Thu, Jan 2, 2020 at 1:00 AM Sebastien Marie  wrote:
> >  And by default, packets
> > with ip-options are block-logged.
> 
> Can't seem to find that specific info anywhere.

see man pf.conf and then search for allow-opts

-Otto

> 
> > I suppose that adding an explicit rule with allow-opts should do the trick.
> > depending your need (block or allow):
> > block return proto igmp to 224/4 allow-opts
> > or
> > pass proto igmp to 224/4 allow-opts
> 
> I used:
> block proto igmp
> 
> Thanks!
> Chris
> 

Re: pflog flooded with igmp queries

[Sonic]

On Thu, Jan 2, 2020 at 12:27 PM Sonic  wrote:
> I used:
> block proto igmp

More specifically:
  block drop quick proto igmp
as I thought "return" would simply add extra traffic to the network.

Chris

Re: pflog flooded with igmp queries

[Sonic]

On Thu, Jan 2, 2020 at 1:00 AM Sebastien Marie  wrote:
>  And by default, packets
> with ip-options are block-logged.

Can't seem to find that specific info anywhere.

> I suppose that adding an explicit rule with allow-opts should do the trick.
> depending your need (block or allow):
> block return proto igmp to 224/4 allow-opts
> or
> pass proto igmp to 224/4 allow-opts

I used:
block proto igmp

Thanks!
Chris

Re: pflog flooded with igmp queries

[Sebastien Marie]

On Wed, Jan 01, 2020 at 12:33:30PM -0500, Sonic wrote:
> The pflogs on my firewall and on a new system I'm installing (-current
> with pretty much a default pf.conf) are flooded with igmp query
> entries. Neither system has a log rule for such action.

[...]

> Reason?

To quote pf.conf(5) manual (about 'allow-opts'):

 By default, packets with IPv4 options or IPv6 hop-by-hop or
 destination options header are blocked.  When allow-opts is
 specified for a pass rule, packets that pass the filter based on
 that rule (last matching) do so even if they contain options.

It means that, as the rules you have doesn't have 'allow-opts', igmp packets
(which often have such ip-options), aren't in any rules. And by default, packets
with ip-options are block-logged.

> Solution?

I suppose that adding an explicit rule with allow-opts should do the trick.

depending your need (block or allow):

block return proto igmp to 224/4 allow-opts
or
pass proto igmp to 224/4 allow-opts

Please note it is untested.

Thanks.
-- 
Sebastien Marie

Re: pflog flooded with igmp queries

[Sonic]

pfctl -si
Status: Enabled for 1 days 23:53:56  Debug: err

State Table  Total Rate
  current entries   13
  half-open tcp  0
  searches  1008640.6/s
  inserts244900.1/s
  removals   244770.1/s
Counters
  match  258580.1/s
  bad-offset 00.0/s
  fragment   00.0/s
  short  00.0/s
  normalize  00.0/s
  memory 00.0/s
  bad-timestamp  00.0/s
  congestion 00.0/s
  ip-option   13680.0/s
  proto-cksum00.0/s
  state-mismatch 00.0/s
  state-insert   00.0/s
  state-limit00.0/s
  src-limit  00.0/s
  synproxy   00.0/s
  translate  00.0/s
  no-route   00.0/s

pfctl -sr
block return all
pass all flags S/SA


dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8491163648 (8097MB)
avail mem = 8221360128 (7840MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x8ce21000 (85 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 04/07/2019
bios0: Default string Default string
acpi0 at bios0: ACPI 6.0
acpi0: sleep states S0 S3 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT HPET SSDT SSDT UEFI SSDT
LPIT SSDT SSDT SSDT SSDT DBGP DBG2 SSDT DMAR ASF! WSMT
acpi0: wakeup devices RP09(S3) PXSX(S3) RP10(S3) PXSX(S3) RP11(S3) PXSX(S3)
RP12(S3) PXSX(S3) RP13(S3) PXSX(S3) RP01(S3) PXSX(S3) RP02(S3) PXSX(S3) RP03(S3)
PXSX(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.26 MHz, 06-8e-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,
TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,
DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,
ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,
SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT
,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,
TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,
DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,
ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,
SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT
,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,
TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,
DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,
ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,
SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT
,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.42 MHz, 06-8e-09
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,
TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,
DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,

Re: pflog flooded with igmp queries

[Sebastian Benoit]

Sonic(sonicsm...@gmail.com) on 2020.01.01 12:33:30 -0500:
> The pflogs on my firewall and on a new system I'm installing (-current
> with pretty much a default pf.conf) are flooded with igmp query
> entries. Neither system has a log rule for such action.
> 
> Ex:
> ===
> rule 1/(match) pass in on em1: 192.168.1.20 > 224.0.0.1: igmp query [ttl 1]
> ===
> 
> pf.conf:
> ===
> #   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
> 
> set skip on lo
> 
> block return# block stateless traffic
> pass# establish keep-state
> ===
> 
> Reason? Solution?

show the output of

  pfctl -si
  pfctl -sr
  dmesg

pflog flooded with igmp queries

[Sonic]

The pflogs on my firewall and on a new system I'm installing (-current
with pretty much a default pf.conf) are flooded with igmp query
entries. Neither system has a log rule for such action.

Ex:
===
rule 1/(match) pass in on em1: 192.168.1.20 > 224.0.0.1: igmp query [ttl 1]
===

pf.conf:
===
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return# block stateless traffic
pass# establish keep-state
===

Reason? Solution?

Thanks!