ICMPv6 incorrectly blocked by default rule
-
I have configured block all-IPv6 rules at the bottom of the 3 FW rule sections: Floating, WAN, & LAN. All three rules are all encompassing meaning they match ANY source, ANY destination, and ANY protocol. And finally, all set to NOT log hits.
Despite this, I still see a bunch of log entries for blocked ICMPv6 traffic on both the WAN & LAN interfaces due to the implicit block rule. I believe it is the implicit rule because (1) if I disable the logging of hits to implicit block rules, the log entries stop; (2) the rule name shown in the log is not one of the names I entered in my explicit rules; and (3) the little torso icon is NOT present in these log entries.
To confirm this, I then added new block rules on both the WAN & LAN interfaces that specifically targets ICMPv6(any) - no joy…the log entries persist on both interfaces.
I really want to keep the log for default rule hits as this is a good trap to discover any potential rule leakage. And while the logging part of this isn't really a biggie, I do wonder why the FW appears to not be blocking traffic as it should be.
Couple of final points: (a) The rule ID for both LAN & WAN log entries is the same; (b) the only rule that shows any evaluations is the block all-v6 floating rule - all other block v6 rules show no evaluations at all.
Let me know your thoughts - thanks.
-
That isn't the default IPv6 block, it's the "Block all IPv6" rule controlled by the master IPv6 on/off switch.
System > Advanced, Networking tab, check "Allow IPv6" and then your rules will be respected.
-
@jimp - that did it - many thanks.
Also, is there anyway to have that ipv6-master switch not log traffic?
