IPv6 VIPS, on any interface, are potentially accessible from WAN via 'This firewall (self)'; is this expected?
-
I imagine this behaviour is 'by design' but it sure took me by surprise. it would be good to know if this is intended or a bug.
My ISP provides me with a routed /48 prefix <p48>.
My WAN interface has an address assigned from <p48>:0::/64.
I have 4 internal subnets that are <p48>:1::/64, <p48>:5::/64, <p48>:d::/64 and <p48>:f::/64.
The router interface for each of those subnets is assigned the ::1 address (so <p48>:1::1, <p48>:5::1 and so on). These addresses are not accessible from the Internet (no firewall rules to allow the traffic).
I have created a VIP (IP alias) on each of the internal router interfaces; <p48>:1::123/64, <p48>:5::123/64 and so on.
If I create a firewall rule on the WAN interface allowing some kinds of IPv6 traffic to reach 'This firewall (self)' then that traffic can reach not only the WAN IP but also all of the VIPs that I mentioned above (but not the base interface underlying each VIP).
It seems like directly assigned internal interface IPv6 addresses are not considered part of 'This firewall (self)' but VIPs created on those interfaces are considered part of 'This firewall (self)'.
To me this is both inconsistent (and wrong)...
-
Hmm, that does seem unexpected. 'This Firewall' should include all IP addresses assigned locally to pfSense.
What pfSense version are you seeing that in?
-
This is 25.07. I don't know if it was the same under 24.11 as I only 'discovered' this behaviour today. it's possible my testing was flawed but I was more concerned at locking down access at the time than definitively characterising how it works!
Good to know how it is supposed to work, though that does make it much less useful.
-
@ChrisJenk said in IPv6 VIPS, on any interface, are potentially accessible from WAN via 'This firewall (self)'; is this expected?:
If I create a firewall rule on the WAN interface allowing some kinds of IPv6 traffic to reach 'This firewall (self)' then that traffic can reach not only the WAN IP but also all of the VIPs that I mentioned above (but not the base interface underlying each VIP).
It seems like directly assigned internal interface IPv6 addresses are not considered part of 'This firewall (self)' but VIPs created on those interfaces are considered part of 'This firewall (self)'.
To me this is both inconsistent (and wrong)...
Quick question... how are you testing reachability? ICMP? TCP/UDP? Something else?
-
Yes if you block access to 'this firewall' it should block access on every IP address it might be listening on. So all interfaces IPs and all VIPs.
That value is actually the pf key word
selfwhich is defined in some low level code. It's not pfSense specific.Let me see if I can find anything...
-
I can't replicate that here with a test block rule. It blocks both VIPs and local interface IPs as destinations.
If you can replicate it knowing how it's supposed to behave I can dig further.
-
@stephenw10 I did some more detailed and precise testing this morning now that I'm not scrambling to close some holes due to over permissive rules.
I was mistaken, so sorry for the false alarm. I've also learned something important about the 'This firewall (self)' target - that it has much wider scope than I had realised. Useful for block rules, somewhat less so for for pass rules! I've switched to XXX address or XXX subnet for a few rules and all is now good again.
Guess I should have RTFM more carefully.
