pfSense

Hey! Please not this way! I know that You not like and support IPv6. But at least I deserve that You read and comment my bug report. If You give an option to block/deblock IPv6 then it should work.
Maybe You check Your sponsors list BEFORE You drop me this way.

hrm, my explanation earlier wasn't posted.

This isn't a legit bug report, inet6 only appears in our source code in 2 places, the block in/out rules that do work properly. This has to be coming from a package somewhere, the "Allow IPv6" box works exactly as it should.

Chris Buechler wrote:

hrm, my explanation earlier wasn't posted.

the "Allow IPv6" box works exactly as it should.

It is not. really.
I am not native English speaking maybe I have to explain this in other words.

Ok, another try:

I Set up a vmachine with 10 Interfaces: 1Wan 1LAN+8LAN bridged.This could be intended as a switch replacement. Every Interface gets a inet6 block rule. From where? Yes, I agree that the default setting (block all) works as intended. But the opposite, the "allow" Setting is NOT usable.
Now, if You (pfSense-Developer) not have to care about "bad" IPv6 in my 9Port LAN-Segment. But in fact You block them. I say "Allow IPv6" Traffic, the only difference are the two lines in front.

$ pfctl -s all | grep inet6
block drop in quick inet6 all
block drop out quick inet6 all
block drop in on em1 inet6 from fe80::20c:29ff:feb0:c0f5 to any
block drop in on em2 inet6 from fe80::20c:29ff:feb0:c0ff to any
block drop in on em3 inet6 from fe80::20c:29ff:feb0:c009 to any
block drop in on em4 inet6 from fe80::20c:29ff:feb0:c013 to any
block drop in on em5 inet6 from fe80::20c:29ff:feb0:c01d to any
block drop in on em6 inet6 from fe80::20c:29ff:feb0:c027 to any
block drop in on em7 inet6 from fe80::20c:29ff:feb0:c031 to any
block drop in on em8 inet6 from fe80::20c:29ff:feb0:c03b to any

$ pfctl -s all | grep inet6
block drop in on em1 inet6 from fe80::20c:29ff:feb0:c0f5 to any
block drop in on em2 inet6 from fe80::20c:29ff:feb0:c0ff to any
block drop in on em3 inet6 from fe80::20c:29ff:feb0:c009 to any
block drop in on em4 inet6 from fe80::20c:29ff:feb0:c013 to any
block drop in on em5 inet6 from fe80::20c:29ff:feb0:c01d to any
block drop in on em6 inet6 from fe80::20c:29ff:feb0:c027 to any
block drop in on em7 inet6 from fe80::20c:29ff:feb0:c031 to any
block drop in on em8 inet6 from fe80::20c:29ff:feb0:c03b to any

Now I ask: where are this entry's generated? How can I override them?

Again: A firewall CAN have hidden rules. Bud they SHOULD be configurable.
If a firewall does not support a protocol, it means not that this must be in any way blocked.
So I am no coder, but i can differentiate if it is a bug or a feature. Even with Israeli Checkpoint Engineers ;-)

It's not coming from anywhere in our code:

:~/gitroot/pfsense-RELENG_1_2$ grep -r inet6 *
etc/inc/filter.inc: $ipfrules .= "block in quick inet6 all\n";
etc/inc/filter.inc: $ipfrules .= "block out quick inet6 all\n";
usr/local/pkg/openntpd.inc: $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));

Those are the only mentions of inet6 in our entire 1_2 codebase, and none of my systems have any other inet6 rules. You have something else on there that's generating those rules. "Allow IPv6" disables the two rules above, we don't add any others.

Chris Buechler wrote:

It's not coming from anywhere in our code:

I made the setup quick and dirty with the 1.2.3 release ISO with VMware in 15 minutes. Without any modifications or packages. Without setting any rule. You tell me now, that You have no idea from where this "ghost-rules" are generated? We talking about firewalling and the core team does not know when and why rules are there or not? I am glad that this is a problem with my home lab and I do not have to explain this to one of my clients. Thanks anyway for listen...

We know exactly where everything comes from, we don't add those. Those rules are generated by PF's antispoof. You'll notice they are the interface IPs.