Remote syslog flooded with ICMPv6 blocks
-
Hey all,
I hope this is appropriate here. I wasn't able to find any other threads on this topic, so I figured I'd post up the issue and the solution I found.
My syslog server was getting tons of ICMPv6 messages despite having IPv6 turned off as much as possible, and putting in a floating rule not to log ANY ipv6 traffic.
Here's an example line (slightly formatted for Logstash):{"message":"5,16777216,,1000000003,em1,match,block,in,6,0x00,0x00000,255,ICMPv6,58,32,fe80::201:5cff:fe65:a046,ff02::1,","@version":"1","@timestamp":"2016-03-16T16:40:47.000Z","tags":["firewall","firewall"],"host":"192.168.1.1","evtid":"134","prog":"filterlog"}
Other than turning off logs for blocks altogether, or creating a filter in Logstash, I couldn't get them to stop showing up.
I ended up poking through the docs and config files and came up with the following solution.
I went to /etc/inc/filter.inc and modified the "Block all IPv6" rules as shown below:
#$ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
#$ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
$ipfrules .= "block in quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";
$ipfrules .= "block out quick inet6 all tracker {$increment_tracker($tracker)} label "Block all IPv6"\n";I then ran /etc/rc.filter_configure to reload the FW. Thankfully they've stopped showing up.
I'm not sure if this is a bug in pfSense or I just missed something, but I figured I might as well document the fix for others who might have this issue.
-
Don't manually modify anything. Either disable logging of default block rules, which will disable that logging, or uncheck "Allow IPv6" so your floating rule can match and block without logging.