Hi. My firewall have these lines spammed, coming from my ISP modem.
What is this about?
looks like QoS, but which I don't know much about, but I don't have any QoS option enabled there (as far as GUI options go).
reject wan in: IN=wan OUT= MAC=ff SRC=192.168.1.1 DST=192.168.1.255 LEN=90 TOS=0x18 PREC=0xA0 TTL=64 ID=58071 DF PROTO=UDP SPT=9431 DPT=9431 LEN=70
is there an option to limit log flood on fw4 like there was on fw3?
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_traffic_logging
option log_limit '10/second'
gives
Section @zone[1] (wan) option 'log_limit' is not supported by fw4
What is in
ubus call system board
cat /etc/config/firewall
~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "modem1",
"system": "ARMv8 Processor rev 4",
"model": "Linksys E8450 (UBI)",
"board_name": "linksys,e8450-ubi",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "mediatek/mt7622",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
option log_limit '10/second'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
[i see you merged the two messages, they where slightly related but not the same "problem"... i mean, the modem is not spamming to the point i want to filter the messages. I just like to have log limits to not DoS my log server... and while setting it up i saw this message i don't understand fired about 0.5/sec]
Just disable logging, you enabled it. Examine those packets with wireshark, and ask your provider for explanation.
This is a litte too hardcore of a solution 
any idea about the log_limit option mentioned on the wiki? (which is not really related to this particular message)
Show PCAP file first.
log_limit is not available in 23.05, only snapshots or 24.10.
about the udp flood from isp modem,
UDP stream is:
ism://192.168.1.1:9431/?nameGateway=swan&sslMthd=none#Ver=2.1.ism://192.168.1.1:9431/?nameGateway=swan&sslMthd=none#Ver=2.1.ism://192.168.1.1:9431/?nameGateway=swan&sslMthd=none#Ver=2.1.ism://192.168.1.1:9431/?nameGateway=swan&sslMthd=none#Ver=2.1.ism://192.168.1.1:9431/?nameGateway=swan&sslMthd=none#Ver=2.1.
Looks like router is calling in other routers to form a mesh. Since origin is not OpenWRT you have to ask whomever gave you that device.
thank you! I figured it was something on those lines but couldn't find anything on that specific port.
Looks udp-http along the lines of cups discovery and upnp if you want to research further.
Or better disable all its wits and smarts and make it pass-through with public IP on OpenWRT
I assumed all those things sddp, upnp, etc all used udp:1900. I cannot find the 9431 port mentioned anywhere (i went all the way to the windowsME whitepaper pile)
