How to adjust Firewall Rules for Packets to Multicast Addresses

I have hundreds of Listings per Second with requests to Multicast Adresses with Protocol 2?

The packets are comprehensible but the log ist heavy to read, so i wanted to make a rule to supress loggings for that event. But all i tried did not work.

Hope, someone has an solution.
Thanks

First a welcome at the community!

Did you try to switch off input logging in Firewall Options?

Hallo bbitsch,
thank’s for the fast answer.
Yes, that helps, but supresses all kinds of notifications for incoming packets.
I search for an option to define a Firewall Rule and turn off logging for this special kind of packets. I have done this with lots of other types of packets and it is running fine. But with Multicast Packets, i found no solution.
I try to create rules , which should target this kind of packets. (All/ All/ Dest 224.0.0.1 / All). But nothing worked.
Sorry, I thougt, i’m not the first one who ran into this kind of problem and i only won’t see the forest for the trees.
Thank you anyway !

Hi,

sorry for the tardy reply.

Yes, this would have been the way to go - I am surprised to hear it is not working for you.

Could you try changing the rule (one should be sufficient) this way:

  • Source network: RED
  • Destination network: 224.0.0.0/4 (IP range reserved for multicast purposes)
  • Action: Drop

Thanks, and best regards,
Peter Müller

No problem, many thanks for trying to help !
I’m very suprised too about Firewall handling with Multicast Packets.
I create a new rule, but unfortunately no change

I’m having trouble with this too, I need to drop multicast from one host. I can’t for the life of me get this going.

Tried:
Source Host: 192.168.10.7
Destination network: 224.0.0.251
Action: Drop
No drops shown in logs.

Tried this:
Source network: Any
Destination network: 224.0.0.251
Action: Drop
Drops all multicast and shown in logs. Works but not what I’m after.

@callifo
Thats not exactly the same problem.
Which IPFire Version do you use ?
For which Interface do you try to change the settings ?

In my Version (X64 - 2.25 Core 158) all Changes in the Firewall Rules for logging for multicast Pakets (Proto 2) on Red are completely ignored !
No Chance to supress loggings in the Firewall Rules !

Yeah same version. I misunderstood, so your multicast is dropped but it always logs it? Mine doesnt drop and it doesn’t log.

That multicast address you’ve shown are IGMP membership queries, it would be produced by the IGMP Querier or snooping device on the network. It should send packets out every 180 seconds or somewhere near. You need to turn it down?

Hi all,

oh well, I completely overlooked the “DROP_INPUT” snippet in the screenshots provided. :expressionless:

May I ask you to edit the firewall rule once more, and set its destination to “firewall”, and then choose IPFire’s RED interface?

The reason for this is the underlying behaviour of iptables: Rules having the multicast range set as its destination are placed into the FORWARD chain. However, since IPFire interprets these as being incoming connections, they actually hit the INPUT chain. This is why the rule I proposed in the first place never triggered, and you folks continued to observe these log entries.

Sorry about this. Will have a cup of coffee first next time. :slight_smile:

Thanks, and best regards,
Peter Müller

@callifo
Yes ,the packets are common IGMP queries.
and I hope, that the packets are dropped while the Drop_Input Message shown in log file. ( But i will try to test it shortly)

  1. Do you enable Log of discarded incoming packets in options ?
  2. on which interface ist your problem ? - I have this problem only with packets on the red Interface.

@pmueller
Thank you very much for trying to help :slight_smile:

Please don’t worry that it didn’t work the first time
I am grateful for every attempt to help.

Thank you for explaining the background of your Answer !.
It makes sense and I made this rule :

And yet it is sorted under incoming Firewall.

But unfortunately …

No Change of the Logging

Nevertheless thank you very much !

@all
I did some new Tests and i find a curious solution after trying to change the action to Reject !
But this Behavior and the conditions are very strange and not very logical to me.

I successfully supress the logging under the following conditions :

Destination
only all, Firewall all or red
NOT Firewall red !!
NOT Firewall green
NOT 224.0.0.0/4

Protokoll
All or IGMP

Action
Only Reject
NOT Drop !!

I have a solution, but if someone can explain this Behavior, i would be happy.
I will do some more tests and try to find more details

Thanks @ALL

Your right, its weird, I am unable to use DROP, it must be REJECT. Still can’t use the multicast addresses, perhaps for reasons as mentioned above.

I’ve used
Source: Host IP
Destination: Any
Protocol: UDP
Source Port: 5353
Destination Port 5353
Action: REJECT

Its not specifically targeted at multicast 224.0.0.251, but it captures it through this one, and given its specific to source/destination ports, it shouldn’t drop other traffic hopefully.