Project

General

Profile

Actions

Bug #11572

open

Auto created firewall rules have IPv4 as protocol only - even for IPv6 lists.

Added by Dave Tickem 5 months ago. Updated 5 months ago.

Status:
New
Priority:
High
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
02/28/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

Using any IPv6 list in pfblocker-ng "IPv6 settings" tab results in a firewall rule with the protocol set to IPv4. This results in IPv6 traffic being passed that should be blocked by the pfblocker list rule.

Suggestion: Change auto-created rule for "IPv6" pfblocker-ng entries to IPv6..

Steps to reproduce:

  • vanilla pfSense install 2.5.0 x86_64. WAN/LAN only.
  • install pfblocker (2.1.4_24)
  • enable pfblockerng

Firewall / pfBlockerNG / IPv6 :

  • add an IPv6 list - for example https : //www.spamhaus.org/drop/dropv6.txt
  • Set list action to "deny both"
  • force update of pfblocker
  • Examine LAN firewall rules - note auto rule created, with protocol of IPv4.
Actions #1

Updated by BBcan177 . 5 months ago

Please update to pfBlockerNG-devel, as pfBlockerNG is not receiving many updates. This issue is resolved in devel.

Actions #2

Updated by Dave Tickem 5 months ago

Confirmed - created as an IPv6 rule in beta. Just means that all those out there using the "release" version are at risk of assuming IPv6 lists are providing benefit, when they are not.

Is there an ETA for devel -> Stable? If it's a fair way off, then perhaps is a better security decision to fix this in current as well?

Actions #3

Updated by BBcan177 . 5 months ago

There are a couple items to iron out in devel, so don't think too long.

Actions #4

Updated by Viktor Gurov 5 months ago

  • Target version deleted (2.5.1)
  • Affected Version deleted (2.5.0)
Actions

Also available in: Atom PDF