Project

General

Profile

Bug #11572

Auto created firewall rules have IPv4 as protocol only - even for IPv6 lists.

Added by Dave Tickem about 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
High
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
02/28/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

Using any IPv6 list in pfblocker-ng "IPv6 settings" tab results in a firewall rule with the protocol set to IPv4. This results in IPv6 traffic being passed that should be blocked by the pfblocker list rule.

Suggestion: Change auto-created rule for "IPv6" pfblocker-ng entries to IPv6..

Steps to reproduce:

  • vanilla pfSense install 2.5.0 x86_64. WAN/LAN only.
  • install pfblocker (2.1.4_24)
  • enable pfblockerng

Firewall / pfBlockerNG / IPv6 :

  • add an IPv6 list - for example https : //www.spamhaus.org/drop/dropv6.txt
  • Set list action to "deny both"
  • force update of pfblocker
  • Examine LAN firewall rules - note auto rule created, with protocol of IPv4.

History

#1 Updated by BBcan177 . about 2 months ago

Please update to pfBlockerNG-devel, as pfBlockerNG is not receiving many updates. This issue is resolved in devel.

#2 Updated by Dave Tickem about 2 months ago

Confirmed - created as an IPv6 rule in beta. Just means that all those out there using the "release" version are at risk of assuming IPv6 lists are providing benefit, when they are not.

Is there an ETA for devel -> Stable? If it's a fair way off, then perhaps is a better security decision to fix this in current as well?

#3 Updated by BBcan177 . about 2 months ago

There are a couple items to iron out in devel, so don't think too long.

#4 Updated by Viktor Gurov about 1 month ago

  • Target version deleted (2.5.1)
  • Affected Version deleted (2.5.0)

Also available in: Atom PDF