Project

General

Profile

Actions

Bug #10886

closed

NAT64 allows to bypass pfBlockerNG IPv4 feed list

Added by Viktor Gurov about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
09/09/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

If NAT64 is used, the firewall first checks the rules and then translates IPv6 to IPv4.
In this case, if IPv4 feeds are used, they can be easily bypassed using the NAT64 representation.

Example:
pfBlockerNG PRI1 feed contains 1.1.1.1 address,
user can bypass it using NAT64 representation address: 64:ff9b::0101:0101

Solution:
add global pfBlockerNG options:
'Convert IPv4 addresses to NAT64 representations' - checkbox
'NAT64 prefix' - default 64:ff9b::/96 prefix

NAT64 feature: #2358

see also ipfw(8):

net.inet.ip.fw.nat64_direct_output: 0
         Controls the output method    used by    ipfw_nat64 module:

         0         A packet is handled by ipfw twice.     First time an origi-
             nal packet    is handled by ipfw and consumed    by ipfw_nat64
             translator.  Then translated packet is queued via netisr
             to    input processing again.

         1         A packet is handled by ipfw only once, and    after transla-
             tion it will be pushed directly to    outgoing interface.

Actions

Also available in: Atom PDF