How to block illegal source IP's at the VLAN-gateways?
-
Hello,
There are a significant number of servers, which do not properly support VLAN's. It seems not rare that (unix)servers with as task to execute an application and which in that role should perform as an IP-endpoint, are handling the IP-traffic as if they are internet transit points.
A bit like this:
- the server does have a VLAN-A in favor of "application A"
- and a VLAN-B in favor of "application B"
- and a "managment VLAN C"
However they are all handled by the same routing table, having the same default gateway and there is no separation between the VLAN's. That is far from OK IMHO.
Connecting that kind of server, is destroying the security!
Next to that a hacker could use it perhaps break vlan-borders and the network routing will not work as well (at least not as intended).
So, I would extra protect the firewall against this.
In fact I did add three rules at the beginning of most of the vlans"
- first rule is to protect pfSense Block: "source *", "destination vlan-address", "http,https,ssh,tr69"
- second rule Block: IPV4, "!vlan-net"
- third rule Block: IPV6, "!vlan-net"
The first two rules do their job , however ...... the third one the IPV6-block does not
It has every thing to do with the unbelievable set of IP-address options as related to IPV6. The firewall is not handling all of them the way I would expect (it must be very hard, that is for sure)
Problem is that addresses like "[fe80::<etc>]", "[fe00::<etc>]", [ff05::<etc>] are not treated as an address belonging to the vlan.
So given that issue, I had to disable the "Block IPV6 source not this vlan-net"
Does any one has a solution for this?