Bug #7107
closedIPv6 blocklists generate IPv4 auto-rules
0%
Description
I set up some IPv6 blocklists with pfblocker and noticed that the autorules it created were created as IPv4 protocol rules. This is on 2.3.2-p1.
I was able to work around this by disabling auto-created deny rules and instead creating my own firewall rules using "Alias Deny".
Files
Updated by BBcan177 . over 7 years ago
Did you add these Lists in the IPv6 pfBlockerNG Tab?
Updated by John Silva over 7 years ago
- File pfb ip6blacklist.png pfb ip6blacklist.png added
Yes. I configured the list in the IPv6 tab of pfBlockerNG. When "List Action" is set to "Deny Both" the firewall rule that is created is for IPv4. See attached screenshot.
When just flipping my config back to "Deny Both" I discovered a second bug - the auto rules are not removed when List Action is changed from "Deny Both" to "Alias Deny".
Updated by BBcan177 . over 7 years ago
Thanks for the report... I can confirm that there is a bug for the IPv6 Tab. The GeoIP tab doesn't have this issue tho.
Please edit this file: (Line # 4580)
/usr/local/pkg/pfblockerng/pfblockerng.inc
See here for reference:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L4580
and add the missing $vtype variable
pfb_firewall_rule($list['action'], $alias, $vtype, $list['aliaslog'], $pfbarr['agateway_in'], $pfbarr['agateway_out'],
$pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'],
$pfbarr['aaddrnot_out'], $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']);
I can't reproduce the second bug. Please ensure that you run a "Force Update" after changing settings.
Updated by BBcan177 . over 7 years ago
Update: Its going to be a little more involved to fix this issue... Best to use "Alias type" rules, until the next release...
Updated by John Silva over 7 years ago
I'll wait for a confirmed fix for the 'vtype' bug. The aliases are working fine for me, especially since I really only want to log drops in the outbound direction.
The auto-rules issue isn't a big deal - just happened to notice it when flipping back and forth.
Thanks for the effort and great support on this fantastic tool!
Updated by Jim Pingle over 4 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from 119 to pfBlockerNG
Updated by BBcan177 . over 4 years ago
This is resolved in pfBlockerNG-devel and can be closed.