Project

General

Profile

Bug #9593

Bogon Rule (partly) blocking IPV6

Added by Louis van Breda about 1 year ago. Updated about 1 year ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
06/18/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

Hello,

When defining rules for Simple Service Discovery Protocol (SSDP), I discovered a serious bug. Luckily with “some form of” workaround possible.

I have a network divided in multiple subnets using a vlan per subnet. For each subnet there is a interface witch corresponding rules.
Since I am using firewall rules as strict as possible, I normally have the Bogon-rule active for each interface (WAN and LAN).

I observed following issue and expect the problem to be wider than that:
- SSDP owns the following address ranges
o IPV4: 239.255.255.250 (IPv4 site-local address)
o IPV6: [FF02::C] (IPv6 link-local)
o IPV6: [FF05::C] (IPv6 site-local)
o IPV6: [FF08::C] (IPv6 organization-local)
o IPV6: [FF0E::C] (IPv6 global)
- I defined a rule to block IPv6 global (Block UPnP discovery outside my network), with the intention to pass the rest.
- So IMHO IPV6: [FF05::C] (IPv6 site-local) should pass
- However I observed that the “block bogon IPV6-rule” blocks the other IPV6-local traffic, and that is IMHO not OK.

In attached document two pieces of firewall logs, the upper one with bogon-rule activated. And below that a piece where the bogon-rule is not active.

This problem relates at least to the actual pfSense version p2.4.4 release 3

Sincerely,

Louis

20190618 BogonBlocking IPV6.docx (326 KB) 20190618 BogonBlocking IPV6.docx Louis van Breda, 06/18/2019 10:15 AM
ImpactBogonRuleSSDP_Exampe.PNG (188 KB) ImpactBogonRuleSSDP_Exampe.PNG Louis van Breda, 06/18/2019 01:46 PM

History

#1 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Not a Bug
  • Priority changed from High to Normal

Bogons is not intended to be used on local interfaces. You should only pass in from your specific local networks on local interfaces, thus bogons has no benefit.

#2 Updated by Louis van Breda about 1 year ago

Jim,

At best I only partly agree with you. We can argue about if it is yes or no useful to check for bogon networks on a lan interface, but the fact that the firewall engine is:
- Is not handling IPV6-traffic as it should and / or
- Generates a message that it has stopped bogons
Is definitively not ok. What makes it very serious is, that I do not have any idea what the engine is doing wrong ! and what the consequences are ! But one thing is for sure that is that the core engine is doing something wrong ☹
Sincerely,

Louis

#3 Updated by Jim Pingle about 1 year ago

Feel free to discuss the issue more in depth on the forum if you think there might be something else going on. We don't make a habit of opening unsolicited word document attachments, so we won't be looking at the text submitted that way.

Bogon lists are not for private interfaces, there is no room for debate there.

#4 Updated by Louis van Breda about 1 year ago

Jim,

Since you indicate not to open wordfiles hereby a picture of the firewall log.

Sincerely,

Louis

Also available in: Atom PDF