Project

General

Profile

Actions

Bug #215

closed

allow IPv6 traffic not complete

Added by Beat Siegenthaler over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
12/09/2009
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
1.2.3
Affected Architecture:

Description

If "allow IPv6 traffic" is unset, I see:
[1.2.3-RELEASE]
[]/root(24): pfctl -s all | grep inet6
block drop in quick inet6 all
block drop out quick inet6 all
block drop in on vr2 inet6 from fe80::20d:b9ff:xxxx:xxxx to any
block drop in on ath0 inet6 from fe80::280:48ff:xxxx:xxxx to any

If set:
[]/root(26): pfctl -s all | grep inet6
block drop in on vr2 inet6 from fe80::20d:b9ff:xxxx:xxxx to any
block drop in on ath0 inet6 from fe80::280:48ff:xxxx:xxxx to any
[1.2.3-RELEASE]

There are still v6 blockings

since ath0/WLAN is bridged to LAN I see none of the expected router advertisements.
I set a any/any allow rule to WLAN, but it is still not a full L2 Bridge.
Testing with CiscoAP bridged to LAN IPv6 is no problem.
It is not only a problem on a LAN/WLAN-Bridge it is also between LAN/LAN.

I have no possibilities to force a allow rule in the GUI.
Is there a quick workaround for this?
Also the possibility to define a "non filtered bridge" between two local interfaces could be a good idea.

Actions #1

Updated by Scott Ullrich over 14 years ago

  • Status changed from New to Closed

pfSense does not have IPV6 support.

Actions #2

Updated by Beat Siegenthaler over 14 years ago

Hey! Please not this way! I know that You not like and support IPv6. But at least I deserve that You read and comment my bug report. If You give an option to block/deblock IPv6 then it should work.
Maybe You check Your sponsors list BEFORE You drop me this way.

Actions #3

Updated by Chris Buechler over 14 years ago

hrm, my explanation earlier wasn't posted.

This isn't a legit bug report, inet6 only appears in our source code in 2 places, the block in/out rules that do work properly. This has to be coming from a package somewhere, the "Allow IPv6" box works exactly as it should.

Actions #4

Updated by Beat Siegenthaler over 14 years ago

Chris Buechler wrote:

hrm, my explanation earlier wasn't posted.

the "Allow IPv6" box works exactly as it should.

It is not. really.
I am not native English speaking maybe I have to explain this in other words.

Ok, another try:

I Set up a vmachine with 10 Interfaces: 1Wan 1LAN+8LAN bridged.This could be intended as a switch replacement. Every Interface gets a inet6 block rule. From where? Yes, I agree that the default setting (block all) works as intended. But the opposite, the "allow" Setting is NOT usable.
Now, if You (pfSense-Developer) not have to care about "bad" IPv6 in my 9Port LAN-Segment. But in fact You block them. I say "Allow IPv6" Traffic, the only difference are the two lines in front.

$ pfctl -s all | grep inet6
block drop in quick inet6 all
block drop out quick inet6 all

block drop in on em1 inet6 from fe80::20c:29ff:feb0:c0f5 to any
block drop in on em2 inet6 from fe80::20c:29ff:feb0:c0ff to any
block drop in on em3 inet6 from fe80::20c:29ff:feb0:c009 to any
block drop in on em4 inet6 from fe80::20c:29ff:feb0:c013 to any
block drop in on em5 inet6 from fe80::20c:29ff:feb0:c01d to any
block drop in on em6 inet6 from fe80::20c:29ff:feb0:c027 to any
block drop in on em7 inet6 from fe80::20c:29ff:feb0:c031 to any
block drop in on em8 inet6 from fe80::20c:29ff:feb0:c03b to any

$ pfctl -s all | grep inet6
block drop in on em1 inet6 from fe80::20c:29ff:feb0:c0f5 to any
block drop in on em2 inet6 from fe80::20c:29ff:feb0:c0ff to any
block drop in on em3 inet6 from fe80::20c:29ff:feb0:c009 to any
block drop in on em4 inet6 from fe80::20c:29ff:feb0:c013 to any
block drop in on em5 inet6 from fe80::20c:29ff:feb0:c01d to any
block drop in on em6 inet6 from fe80::20c:29ff:feb0:c027 to any
block drop in on em7 inet6 from fe80::20c:29ff:feb0:c031 to any
block drop in on em8 inet6 from fe80::20c:29ff:feb0:c03b to any

Now I ask: where are this entry's generated? How can I override them?

Again: A firewall CAN have hidden rules. Bud they SHOULD be configurable.
If a firewall does not support a protocol, it means not that this must be in any way blocked.
So I am no coder, but i can differentiate if it is a bug or a feature. Even with Israeli Checkpoint Engineers ;-)

Actions #5

Updated by Chris Buechler over 14 years ago

It's not coming from anywhere in our code:

:~/gitroot/pfsense-RELENG_1_2$ grep -r inet6 *
etc/inc/filter.inc: $ipfrules .= "block in quick inet6 all\n";
etc/inc/filter.inc: $ipfrules .= "block out quick inet6 all\n";
usr/local/pkg/openntpd.inc: $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));

Those are the only mentions of inet6 in our entire 1_2 codebase, and none of my systems have any other inet6 rules. You have something else on there that's generating those rules. "Allow IPv6" disables the two rules above, we don't add any others.

Actions #6

Updated by Beat Siegenthaler over 14 years ago

Chris Buechler wrote:

It's not coming from anywhere in our code:

I made the setup quick and dirty with the 1.2.3 release ISO with VMware in 15 minutes. Without any modifications or packages. Without setting any rule. You tell me now, that You have no idea from where this "ghost-rules" are generated? We talking about firewalling and the core team does not know when and why rules are there or not? I am glad that this is a problem with my home lab and I do not have to explain this to one of my clients. Thanks anyway for listen...

Actions #7

Updated by Chris Buechler over 14 years ago

We know exactly where everything comes from, we don't add those. Those rules are generated by PF's antispoof. You'll notice they are the interface IPs.

Actions

Also available in: Atom PDF