Project

General

Profile

Actions

Bug #7107

closed

IPv6 blocklists generate IPv4 auto-rules

Added by John Silva about 7 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
01/09/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.2
Affected Plus Version:
Affected Architecture:

Description

I set up some IPv6 blocklists with pfblocker and noticed that the autorules it created were created as IPv4 protocol rules. This is on 2.3.2-p1.

I was able to work around this by disabling auto-created deny rules and instead creating my own firewall rules using "Alias Deny".


Files

pfb ip6blacklist.png (61.8 KB) pfb ip6blacklist.png John Silva, 01/09/2017 06:31 PM
Actions #1

Updated by BBcan177 . about 7 years ago

Did you add these Lists in the IPv6 pfBlockerNG Tab?

Actions #2

Updated by John Silva about 7 years ago

Yes. I configured the list in the IPv6 tab of pfBlockerNG. When "List Action" is set to "Deny Both" the firewall rule that is created is for IPv4. See attached screenshot.

When just flipping my config back to "Deny Both" I discovered a second bug - the auto rules are not removed when List Action is changed from "Deny Both" to "Alias Deny".

Actions #3

Updated by BBcan177 . about 7 years ago

Thanks for the report... I can confirm that there is a bug for the IPv6 Tab. The GeoIP tab doesn't have this issue tho.

Please edit this file: (Line # 4580)

/usr/local/pkg/pfblockerng/pfblockerng.inc

See here for reference:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L4580

and add the missing $vtype variable

pfb_firewall_rule($list['action'], $alias, $vtype, $list['aliaslog'], $pfbarr['agateway_in'], $pfbarr['agateway_out'],
$pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'],
$pfbarr['aaddrnot_out'], $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']);

I can't reproduce the second bug. Please ensure that you run a "Force Update" after changing settings.

Actions #4

Updated by BBcan177 . about 7 years ago

Update: Its going to be a little more involved to fix this issue... Best to use "Alias type" rules, until the next release...

Actions #5

Updated by John Silva about 7 years ago

I'll wait for a confirmed fix for the 'vtype' bug. The aliases are working fine for me, especially since I really only want to log drops in the outbound direction.

The auto-rules issue isn't a big deal - just happened to notice it when flipping back and forth.

Thanks for the effort and great support on this fantastic tool!

Actions #6

Updated by Jim Pingle over 4 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from 119 to pfBlockerNG
Actions #7

Updated by BBcan177 . over 4 years ago

This is resolved in pfBlockerNG-devel and can be closed.

Actions #8

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF