Project

General

Profile

Actions

Bug #2874

closed

IPv6 permissive rules being auto-created when IPv6 disabled in config

Added by Stilez y about 12 years ago. Updated about 12 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/13/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Some automatic IPv6 rules still get created if IPv6 is disabled (not clear if this is intentional). Two examples: the "default allow LAN IPv6 to any" rule, and also seems that PPPoE can still show IPv6 DHCP as enabled. These aren't being synced to IPv6 on/off and it seems inappropriate to have occasional permissive IPv6 rules autocreated and appearing in a rules list for a router that's expected and configured to be only IPv4 with IPv6 disabled.

Actions #1

Updated by Jim Pingle about 12 years ago

  • Status changed from New to Rejected

"Allow IPv6" is not a master switch to disable IPv6 functions. It merely adds a block rule to prevent IPv6 from passing by default.

The rule on LAN is in the default config. It's not "automatic" in the sense that it is created and destroyed automatically.

The WAN defaults to IPv6 DHCP enabled in the default config.

Actions #2

Updated by Stilez y about 12 years ago

The narrative reads "All IPv6 will be blocked unless this box is checked". That's not the same as "merely blocks by default". The existence of a permissive rule or opening of IPv6 DHCP when unchecked seems to breach that description. It does in fact tell the user that it is an IPv6 master switch.

Perhaps the default rule should be automated (as some other rules are) or be auto-enabled/disabled, depending upon whether IPv6 is enabled or not. At present, a user unchecks a control saying "All IPv6 will be blocked" and it isn't.

However, if the behaviour is correct then can the somewhat misleading narrative in <system_advanced_network.php> be edited slightly, to be more clear that this doesn't act as a master on/off, or what it does do? And to note that the default rule will still allow IPv6 to pass even if IPv6 is "all blocked" in config, and IPv6 rules may need to be manually disabled.

Actions #3

Updated by Jim Pingle about 12 years ago

I'll try to reword it, but "allow" and "blocked" imply firewall actions, "disabled" would imply features being shut off.

As for the rules, creating/destroying rules like that on the fly is a recipe for disaster. There is no way that would end well except in the most basic of configs where it doesn't really make much sense.

Actions #4

Updated by Chris Buechler about 12 years ago

the block rules override every user-defined and auto-added rule, which is the intent of the feature. It's not enable/disable, it's block all or don't block all. It works as designed.

Actions #5

Updated by Stilez y about 12 years ago

Thanks, that explanation makes sense. (It may be that some apparent "issues" actually relate to improving narrative and clarifying what the function is expected to do, like this)

Looking at the amended text it leaves an aspect unclear - it says that all IPv6 traffic will be blocked. Two quick clarifications - does this override any manual/visible fw rules, and the permissive default rule, or do some of these need to be manually disabled? And does it mean IPv6 DHCP is enabled but the resulting traffic won't pass?

Actions #6

Updated by Stilez y about 12 years ago

(Sorry, Chris - overlapped yours and didn't see your comment)

Actions #7

Updated by Jim Pingle about 12 years ago

Unfortunately we can't write a novella to explain the subtle nuances of every option in the GUI. The revised description states plainly that all IPv6 traffic will be blocked, that's what it does. No other actions or assumptions are made aside from blocking all IPv6 traffic, exactly as it says.

Actions

Also available in: Atom PDF