Project

General

Profile

Bug #9167

Some Important ICMPv6 Traffic Not Allowed by Default Rules

Added by David Lessnau 8 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
12/04/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4_1
Affected Architecture:

Description

According to:

https://tools.ietf.org/html/rfc4890#section-4.3.1

"4.3.1. Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and
maintenance of communications:

o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only"

Yet, according to:

https://github.com/pfsense/pfsense/blob/75cf92ffe93c7ea71cd5b432c369860b6e66a0d3/src/etc/inc/filter.inc#L3297

the Time Exceeded (Type 3) and Parameter Problem (Type 4) - Codes 1 and 2 do not appear to be specified by pfSense 2.4.4 in the default allow rules.

Possibly, there's a similar issue with the ICMPv6 Neighbor Discovery rules. According to that same document, Neighbor Discovery consists of 7 message types:

" o Router Solicitation (Type 133)
o Router Advertisement (Type 134)
o Neighbor Solicitation (Type 135)
o Neighbor Advertisement (Type 136)
o Redirect (Type 137)
o Inverse Neighbor Discovery Solicitation (Type 141)
o Inverse Neighbor Discovery Advertisement (Type 142)"

PfSense's default ICMPv6 rules specifically allow router and neighbor solicitation and advertisement, but don't mention the others (Redirect and the two Inverse Neighbor Discovery ones).

Also available in: Atom PDF