Auto created firewall rules have IPv4 as protocol only - even for IPv6 lists.
Using any IPv6 list in pfblocker-ng "IPv6 settings" tab results in a firewall rule with the protocol set to IPv4. This results in IPv6 traffic being passed that should be blocked by the pfblocker list rule.
Suggestion: Change auto-created rule for "IPv6" pfblocker-ng entries to IPv6..
Steps to reproduce:
- vanilla pfSense install 2.5.0 x86_64. WAN/LAN only.
- install pfblocker (2.1.4_24)
- enable pfblockerng
Firewall / pfBlockerNG / IPv6 :
- add an IPv6 list - for example https : //www.spamhaus.org/drop/dropv6.txt
- Set list action to "deny both"
- force update of pfblocker
- Examine LAN firewall rules - note auto rule created, with protocol of IPv4.
Updated by Dave Tickem 5 months ago
Confirmed - created as an IPv6 rule in beta. Just means that all those out there using the "release" version are at risk of assuming IPv6 lists are providing benefit, when they are not.
Is there an ETA for devel -> Stable? If it's a fair way off, then perhaps is a better security decision to fix this in current as well?