PfSense boot sequence & files red.

mokaz

@stephenw10:

The book has gone out to editors so should be released 'soon'. See this thread:
https://forum.pfsense.org/index.php?topic=64781.0

You should not be editing rc.conf.local.
All the pfSense config is stored in the single file config.xml. What alterations are you wanting to make?

Steve

Thanks for your reply Steve & that's excellent news for the book ! Will check the thread… Will physical buyer get a digital copy as well? would be great !!

Back to my eggs here (hehe) and to reply to myself, here is what i've found on your doc website;

NOTE on startup scripts: the usual rc.d scripts added to /usr/local/etc/rc.d/ will not function on a pfSense system. There is no rc.conf and you cannot create one as it will be deleted. 
You'll need to create your own startup script in /usr/local/etc/rc.d/ just making sure it ends with .sh and is marked as executable (chmod +x), and it will run at boot time. 
Alternatively if it's something that can be started with a single command you can easily add a <shellcmd> tag to your config.xml.</shellcmd>

from here –> https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

And toward your question, this is what i'm trying to do:

ifconfig re0 inet6 0000:0000:0000:0000:0000 -alias
ifconfig re1 inet6 0000:0000:0000:0000:0000 -alias
ifconfig re2 inet6 0000:0000:0000:0000:0000 -alias

I'm getting millions of ipv6 icmp6 entries in my FW log which im willing to completely shut (inet6) on the whole subsystem.

let me know,
regards,

m.

doktornotor

Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.

stephenw10

@doktornotor:

First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.

Two good options depending on whether or not you need IPv6 at all.
The first option is in System: Advanced: Networking: by the way.

Steve

mokaz

@doktornotor:

Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.

Yes indeed, i've checked the disable IPv6 checkbox in the gui, though every interface still gets an IPv6 address assigned.
And let me add this to your sentence; …and IPv6 is NOT optional with pfSense 2.1.x it seems…

I dont really get where it is foolish to completely disable something you just dont want on one's system; in my case IPv6.
Its a bit like saying "yes yes, keep these NFS & FTP services running even if you don't use 'em, somebody will at some point..."

And yes, if you can enlight me on that custom rule to do in order to get rid of the ICMP6 messages i'd be pleased.
Because i've tried but the ICMP6 messages kept being logged on every try...

Thanks,
cheers,
m.

doktornotor

Discussed lots of times on the forum, use the search box. Other than that, you can also disable default rules logging, or simply stop blocking ICMP because it's just completely pointless.

P.S. IPv6 stopped being optional starting from Windows Vista, it is being used by default on your local network by pretty much every modern OS out there.

stephenw10

Do you have your interfaces set as IPv6 type 'none'?

Here at home my box has been upgraded since 1.2.3 and hence has IPv6 disabled, I would have to have manually enabled it. I see no IPv6 traffic at all.

Steve

doktornotor

Even with IPv6 set to none, the interfaces will have link-local addresses. There is no problem with that really.

stephenw10

I agree it's not a problem. I'm just surprised that I'm seeing absolutely no IPv6 traffic in the firewall logs despite having a variety of OSs running behind the box. Clearly I'm missing something here…  :-\

Steve

doktornotor

I guess you do not have the bogons rules enabled, because otherwise you'll see a crapload of useless junk in the logs. I've raised multiple complaints about the stupid 8000::/1 entry in /etc/bogonsv6 but got exactly nowhere with a real solution. (The  8000::/1 entry has already broken DHCPv6 multiple times, most of them probably fixed by some ad-hoc stuff behind the scenes.) Also stuff like SSDP/LLMNR is blocked, so if you create a rule on your LAN that states LAN subnet as source (instead of any), you again get a crapload of  firewall hits from fe80::/10 - again, got nowhere. I still cannot see how not blocking IPv4 multicasts but blocking IPv6 multicasts on LANs by default makes any sense or is consistent in any way, but I sincerely give up. Feels like fighting with windmills here.

stephenw10

Ah, OK. I don't have bogons blocked on internal networks no. However all of my LAN rules are using LAN subnet(s) as the source rather than any, they're IPv4 rules though.

I have found one IPv6 entry in my firewall log, a blocked outgoing ICMP6 packet from my OpenVPN interface. Seems reasonable!  ;)

Steve