pfSense Gold Subscription

Author Topic: ICMPv6 incorrectly blocked by default rule  (Read 151 times)

0 Members and 1 Guest are viewing this topic.

Offline cyberzeus

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
ICMPv6 incorrectly blocked by default rule
« on: December 29, 2017, 08:32:34 pm »
I have configured block all-IPv6 rules at the bottom of the 3 FW rule sections: Floating, WAN, & LAN.  All three rules are all encompassing meaning they match ANY source, ANY destination, and ANY protocol.  And finally, all set to NOT log hits.

Despite this, I still see a bunch of log entries for blocked ICMPv6 traffic on both the WAN & LAN interfaces due to the implicit block rule.  I believe it is the implicit rule because (1) if I disable the logging of hits to implicit block rules, the log entries stop; (2) the rule name shown in the log is not one of the names I entered in my explicit rules; and (3) the little torso icon is NOT present in these log entries.

To confirm this, I then added new block rules on both the WAN & LAN interfaces that specifically targets ICMPv6(any) - no joy...the log entries persist on both interfaces.

I really want to keep the log for default rule hits as this is a good trap to discover any potential rule leakage.  And while the logging part of this isn't really a biggie, I do wonder why the FW appears to not be blocking traffic as it should be.

Couple of final points: (a) The rule ID for both LAN & WAN log entries is the same; (b) the only rule that shows any evaluations is the block all-v6 floating rule - all other block v6 rules show no evaluations at all.

Let me know your thoughts - thanks.
« Last Edit: December 29, 2017, 08:38:44 pm by cyberzeus »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21488
  • Karma: +1456/-26
    • View Profile
Re: ICMPv6 incorrectly blocked by default rule
« Reply #1 on: January 03, 2018, 02:23:12 pm »
That isn't the default IPv6 block, it's the "Block all IPv6" rule controlled by the master IPv6 on/off switch.

System > Advanced, Networking tab, check "Allow IPv6" and then your rules will be respected.

Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline cyberzeus

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: ICMPv6 incorrectly blocked by default rule
« Reply #2 on: January 03, 2018, 02:31:34 pm »
@jimp - that did it - many thanks.

Also, is there anyway to have that ipv6-master switch not log traffic?