IPv6 blocklists generate IPv4 auto-rules
I set up some IPv6 blocklists with pfblocker and noticed that the autorules it created were created as IPv4 protocol rules. This is on 2.3.2-p1.
I was able to work around this by disabling auto-created deny rules and instead creating my own firewall rules using "Alias Deny".
#2 Updated by John Silva over 3 years ago
Yes. I configured the list in the IPv6 tab of pfBlockerNG. When "List Action" is set to "Deny Both" the firewall rule that is created is for IPv4. See attached screenshot.
When just flipping my config back to "Deny Both" I discovered a second bug - the auto rules are not removed when List Action is changed from "Deny Both" to "Alias Deny".
#3 Updated by BBcan177 . over 3 years ago
Thanks for the report... I can confirm that there is a bug for the IPv6 Tab. The GeoIP tab doesn't have this issue tho.
Please edit this file: (Line # 4580)
and add the missing $vtype variable
pfb_firewall_rule($list['action'], $alias, $vtype, $list['aliaslog'], $pfbarr['agateway_in'], $pfbarr['agateway_out'],
$pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'],
$pfbarr['aaddrnot_out'], $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']);
I can't reproduce the second bug. Please ensure that you run a "Force Update" after changing settings.
#5 Updated by John Silva over 3 years ago
I'll wait for a confirmed fix for the 'vtype' bug. The aliases are working fine for me, especially since I really only want to log drops in the outbound direction.
The auto-rules issue isn't a big deal - just happened to notice it when flipping back and forth.
Thanks for the effort and great support on this fantastic tool!