Project

General

Profile

Actions
Copy link

Feature #16700

open

Feature Request: Auto-Block Spoofed Source IPv6 Prefix for GIF Tunnels

Added by Jonathan Lee 3 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default

Description

Summary
Automatically add the assigned IPv6 prefix of a GIF tunnel interface (e.g., Hurricane Electric Tunnel Broker) to the default ingress block list to prevent source address spoofing, consistent with existing IPv4 static address behavior.

Current Behavior
When an IPv4 interface is configured with a static address, pfSense automatically adds an anti-spoofing rule to the pf ruleset that blocks inbound traffic claiming to originate from the locally assigned IP. This protects against spoofed source addresses on that interface.
This automatic anti-spoofing behavior is not implemented for GIF tunnel interfaces. When a GIF tunnel is configured (for example, using Hurricane Electric Tunnel Broker or a similar IPv6-in-IPv4 tunnel), the assigned IPv6 prefix is not automatically added to the ingress block list.

Expected Behavior
When a GIF tunnel interface is configured with an assigned IPv6 prefix, pfSense should automatically generate a pf access control rule that blocks inbound traffic on that interface with a source address matching the tunnel's own assigned IPv6 prefix block. This is the same anti-spoofing protection that is already applied automatically for static IPv4 interfaces.

Steps to Reproduce

  1. Configure a GIF tunnel interface in pfSense (e.g., Hurricane Electric Tunnel Broker).
  2. Assign the delegated IPv6 prefix to the tunnel interface.
  3. Review the auto-generated pf rules.
  4. Observe that no anti-spoofing block rule exists for the assigned IPv6 prefix on the GIF tunnel interface, unlike the equivalent IPv4 static interface behavior.
Proposed Solution
Extend the existing automatic anti-spoofing rule generation logic to include GIF tunnel interfaces. Specifically:
  1. Detect when a GIF tunnel interface has an assigned IPv6 prefix.
  2. Automatically insert a pf block rule for inbound traffic on that interface where the source address falls within the tunnel's own assigned IPv6 prefix.
  3. This should mirror the existing behavior for static IPv4 interfaces and require no manual user configuration.

Impact
Without this rule, traffic entering the WAN via a GIF tunnel could spoof a source address belonging to the tunnel's own IPv6 prefix, bypassing ingress filtering. This is a well-known attack vector addressed in RFC 2827 (Network Ingress Filtering). The fix brings GIF tunnel behavior into parity with existing IPv4 anti-spoofing protections.

Environment
  1. pfSense Plus / pfSense CE
  2. GIF tunnel interface (e.g., Hurricane Electric Tunnel Broker)
  3. IPv6 prefix assigned via tunnel broker
References
  1. RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks
  2. Existing pfSense IPv4 static interface anti-spoofing behavior

No data to display

Actions
Copy link

Also available in: Atom PDF