Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"

myfamilydeservesbetter

Hi again.

My family is learning networking now that we have enabled your product (2.6 fwiw, 2.7 was a total failure of an upgrade from the memstick and direct from the firewall itself but that is another topic i don't care to discuss the variables of in particular) and we ran into some trouble with your

default deny rules

block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"

Now, we know from reading your manual that "The PF rules generated by the firewall are in /tmp/rules.debug. However, that file cannot be edited to make persistent changes - the firewall will overwrite it during the next filter reload event."

Therefore, the only solution we have at this time would appear to be "edits must be made to the source code which generates the ruleset in /etc/inc/filter.inc"

Not being a programmer we have no idea how to proceed with the following line of "php Source Code" from the # default deny rules

block in {$log['block']} inet6 all ridentifier {$increment_tracker()} label "Default deny rule IPv6"

Our question is simple.

Can we simply delete this line from the (php) Source Code to permanently change the default rule so as to enable ipv6 ability of our network, or do we need to alter this (and possible other(s) lines of code to REMOVE the rule PERMANENTLY from re-manifesting itself here: /tmp/rules.debug

thank you in advance.

~ TIM

LinkP

There is no need to edit pfSense PHP files to manage your firewall rules and you certainly don't need to remove the default deny rule to use IPv6.

You seem to be having an XY problem. You might be better off to explain your desired outcome before you continue to invest time in modifications that are unlikely to produce desirable results.

rcoleman-netgate

@myfamilydeservesbetter said in Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6":

Can we simply delete this line from the (php) Source Code to permanently change the default rule so as to enable ipv6 ability of our network, or do we need to alter this (and possible other(s) lines of code to REMOVE the rule PERMANENTLY from re-manifesting itself here: /tmp/rules.debug

You can do whatever you want to the source code.

Your better option is to set a rule that passes IPv6 traffic on the specific interface(s) because you do not want to make changes that compromise the efficacy of your firewall. Patently passing all traffic would mean your entire firewall is a pointless device as it does not filter/block traffic.

SteveITS

@myfamilydeservesbetter What they said, but basically every firewall has a default block all rule on each interface so it is secure by default. You add rules via the web interface to allow what traffic you want to allow. On pfSense, LAN has added allow rules by default so devices can connect out by default. Trying to edit rules any way other than the GUI is doing it the hard way.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#review-rule-parameters

Gertjan

@myfamilydeservesbetter said in Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6":

My family is learning networking now that we have enabled your product (2.6 fwiw, 2.7 was a total failure of an upgrade from the memstick and direct from the firewall itself but that is another topic i don't care to discuss the variables of in particular) and we ran into some trouble with your
default deny rules

block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"
.......
thank you in advance.

Your issue was solved the moment you installed pfSense.
Shortly after that, the admin 'did his thing' and things went downhill.

When you install pfSense, the LAN is initialised with these two rules :

and from that moment on, the final 'hidden' rule you talk about won't be reached any more, as all IPv4 and IPv6 traffic will be passed (handled) already.

If the "1000000105" ( the "Log firewall default blocks") rule still pops up in the firewall log, then this is for sure 'illegal' IPv6 traffic, that shouldn't be routed out anyway. Best is to locate the LAN device that initiated this traffic, remove it from your network, and call it a day.

@myfamilydeservesbetter said in Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6":

as to enable ipv6 ability of our network

Use my second rule. It matches 'all' TCPv6 traffic coming into your LAN interface.

myfamilydeservesbetter

@Gertjan I also have a green check mark, but with 0 bytes, that seems to be another issue that led me to consider editing the source code.

I'm going to sideline this issue for now. ty!

Gertjan

@myfamilydeservesbetter said in Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6":

I also have a green check mark

The green check mark means : this is a pass rule.
Bytes "0" means : the rule hasn't matched (yet ) with traffic passed into the interface.

Editing the PHP SOURCECODE to enable ipv6

Something really strange is going on.