Router Advertisements (revisited)

mdpugh

Is there no way to (for the time being) block RAs on certain interfaces?

Efonnes

The rule you mentioned does not have the "quick" keyword on it, so any rules below it should be able to override it.

mdpugh

Okay.  But the rule generated by my configuration

block drop out log quick on em1 inet6 proto ipv6-icmp all icmp6-type routeradv

is not blocking router advertisements on em1.  So what is wrong?

mdpugh

Maybe I need clarification on rule order.  According to http://doc.pfsense.org/index.php/Firewall_Rule_Basics, the first rule matched wins, which jibes with my dilemma and is the basis for my thinking the autogenerated rule was overriding my rule.  But according to http://openbsd.org/faq/pf/filter.html, it's the last rule matched that wins, which (a) agrees with what Efonne is saying, (b) makes sense in light of the quick keyword function, and makes the most sense to me.  Yet, if the latter is the case, why isn't my rule working?

jimp

Have you tried making the rule more general to see if you can get it to block? Are you logging the block?

You could hand edit /tmp/rules.debug and move it above the other, then pfctl -f /tmp/rules.debug and see if it behaves differently.

What you are saying about rule order is essentially right.

The rules on our interface tabs are always first-match-wins, because they all have 'quick' set. Rules on the floating tab can work either way (depending on whether or not you have 'quick' checked on the floating rule). Some of our internal rules do not have 'quick' set so they can be overridden by user rules.

mdpugh

I changed the rule to read

block drop out log on em1 inet6 all

with no effect.  This time, though, I paid closer attention to the output of pfctl -s rules.  The offending autogenerated rule is not the one I mentioned, but instead is

pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state.

How do I get around this one?

jimp

There probably isn't a way around that if it's above the user rules. databeestje will probably have to comment on that one, I don't know if there is an option or bypass for it.

mdpugh

I edited /tmp/rules.debug and removed quick from this line:

pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state.

This solved my problem, but I don't know if any other rules further down (other than mine) will override this one now.  I don't see any, but I haven't exactly studied the file.  How do I make this edit persistent (assuming nothing else is broken as a result of the change).  It is, after all, just a rig until router advertisements are fixed.

jimp

Edit the line in /etc/inc/filter.inc

https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/filter.inc#L2286

mdpugh

I made this change and now have the desired functionality.  Actually, I changed the line following the one highlighted at https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/filter.inc#L2286 because it is the one causing me problems.  Now that it's blocking and logging, I can confirm beyond a shadow of doubt that RAs are being sent down the gif tunnels too when not blocked.  Thanks for the assistance!  Now, I think I'll tinker with fixing the RAs.  :)