Project

General

Profile

Actions

Bug #9167

open

Some Important ICMPv6 Traffic Not Allowed by Default Rules

Added by David Lessnau about 6 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
12/04/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4_1
Affected Architecture:

Description

According to:

https://tools.ietf.org/html/rfc4890#section-4.3.1

"4.3.1. Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and
maintenance of communications:

o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only"

Yet, according to:

https://github.com/pfsense/pfsense/blob/75cf92ffe93c7ea71cd5b432c369860b6e66a0d3/src/etc/inc/filter.inc#L3297

the Time Exceeded (Type 3) and Parameter Problem (Type 4) - Codes 1 and 2 do not appear to be specified by pfSense 2.4.4 in the default allow rules.

Possibly, there's a similar issue with the ICMPv6 Neighbor Discovery rules. According to that same document, Neighbor Discovery consists of 7 message types:

" o Router Solicitation (Type 133)
o Router Advertisement (Type 134)
o Neighbor Solicitation (Type 135)
o Neighbor Advertisement (Type 136)
o Redirect (Type 137)
o Inverse Neighbor Discovery Solicitation (Type 141)
o Inverse Neighbor Discovery Advertisement (Type 142)"

PfSense's default ICMPv6 rules specifically allow router and neighbor solicitation and advertisement, but don't mention the others (Redirect and the two Inverse Neighbor Discovery ones).

Actions

Also available in: Atom PDF