Remove internal broadcast entries from firewall logs

Getting Started with IPFire
1

First of all to thank the IPFire development team for this wonderful software. :hugs:

My first installation was flawless, and I use an old small laptop as the IPFire device. I live in a huge old building with 170 apartments, that has a small computer room at the end of a fiber optic connection.

No problems with the IPFire setup and operation (thank you again), but two days later when I went to check the

FW-1

I found that 4 internal network devices of the provider were broadcasting endlessly in the internal network of the building, giving me about 5000 entries like these per day. :exploding_head:

FW-2
FW-3

This is how I filtered these entries out, because we want to see (and clearly see) only the important things in firewall log.

A rule was carefully created for each of the 4 entries, as seen below. (See the green boxes.)

FW-4-0
FW-4-0574×176 13.4 KB

FW-4-1
FW-4-1574×138 4.71 KB

FW-4
FW-4857×980 40.4 KB

and…

FW-5
FW-5416×121 3.55 KB

After applying the changes, the new rule is listed in the firewall rules page. And looks like this.

FW-6
FW-61194×421 30.5 KB

It works flawlessly, I checked it for a month. :grinning:

I hope this will help many others to enjoy clean and meaningful firewall logs. :saluting_face:

PS. Before you try it, read Bernhard’s answer below. :wink:

This post in pdf:
Remove internal broadcast entries from firewall logs.pdf (143.6 KB)

1 Like
2

Your rule rejects all BOOTP replies from the gateway to IPFire. This means DHCP type RED interface isn’t possible. Is this ok?

2 Likes
3

Actually the setup in our building is that we have a specific IP each one of us, the number of the apartment.

I use the same static setup IP for the last 15 years, 10.99.1.xx , where xx is my apartment number. This is my red IP now.

Obviously you have a point there. :nerd_face:

1 Like
4

It makes me think there could be something wrong in IPF. Shouldn’t receiving a packet on port 68 from 67 be a response to a DHCPDISCOVER. If IPF has a Static IP, why is it sending out DHCPDISCOVER packets?

5

Nick, I think these queries (that the gateway/dhcp server replies to) are sent by the other 169 of the 170 apartments of the building.

If anyone understands this better than me he can comment. (Most probable is that IPFire operates properly…) :slightly_smiling_face:

2 Likes
6

In Bootstrap Protocol - Wikipedia says:

BOOTP is implemented using the User Datagram Protocol (UDP) for transport. Port number 67 is used by the server for receiving client requests, and port number 68 is used by the client for receiving server responses. BOOTP operates only on IPv4 networks.

7

You could always run tcpdump to monitor ports 67 and 68 to see what the traffic really is.

1 Like
8

I found an excellent article on tcpdump

How to Use tcpdump to Capture and Analyze Network Traffic

I could try some things (when I will have time. :slightly_frowning_face: )