pfSense Forum

pfSense English Support => General Questions => Topic started by: cyberzeus on December 29, 2017, 08:32:34 pm

Title: ICMPv6 incorrectly blocked by default rule
Post by: cyberzeus on December 29, 2017, 08:32:34 pm
I have configured block all-IPv6 rules at the bottom of the 3 FW rule sections: Floating, WAN, & LAN.  All three rules are all encompassing meaning they match ANY source, ANY destination, and ANY protocol.  And finally, all set to NOT log hits.

Despite this, I still see a bunch of log entries for blocked ICMPv6 traffic on both the WAN & LAN interfaces due to the implicit block rule.  I believe it is the implicit rule because (1) if I disable the logging of hits to implicit block rules, the log entries stop; (2) the rule name shown in the log is not one of the names I entered in my explicit rules; and (3) the little torso icon is NOT present in these log entries.

To confirm this, I then added new block rules on both the WAN & LAN interfaces that specifically targets ICMPv6(any) - no joy...the log entries persist on both interfaces.

I really want to keep the log for default rule hits as this is a good trap to discover any potential rule leakage.  And while the logging part of this isn't really a biggie, I do wonder why the FW appears to not be blocking traffic as it should be.

Couple of final points: (a) The rule ID for both LAN & WAN log entries is the same; (b) the only rule that shows any evaluations is the block all-v6 floating rule - all other block v6 rules show no evaluations at all.

Let me know your thoughts - thanks.
Title: Re: ICMPv6 incorrectly blocked by default rule
Post by: jimp on January 03, 2018, 02:23:12 pm
That isn't the default IPv6 block, it's the "Block all IPv6" rule controlled by the master IPv6 on/off switch.

System > Advanced, Networking tab, check "Allow IPv6" and then your rules will be respected.

Title: Re: ICMPv6 incorrectly blocked by default rule
Post by: cyberzeus on January 03, 2018, 02:31:34 pm
@jimp - that did it - many thanks.

Also, is there anyway to have that ipv6-master switch not log traffic?