How to hide ipv6 entries in firewall logs?
-
Any
-
I did as you said. But it didn't help. There are ipv6 logs running in firewall logs.
Do I always have to choose "any" as source address by default?
-
Yes, you’ll need to choose “any” as the source. Link-local (fe80:) and multicast IPv6 addresses don’t meet the “LAN2 net” address range. That’s why those addresses still show up in the firewall logs for the LAN2 interface.
-
I have chosen "any" as the source. I am attaching photos. Please have a look and let me know where I am wrong. By the way, I have unchecked "Allow IPv6" and checked "Prefer IPv4 over IPv6" in System / Advanced / Networking.
-
Try doing the same from your other LAN interfaces.
-
Other interfaces has the same settings as others.
I have WAN, LAN, LAN2, LAN3, OPENVPN, IPSEC. -
Hmm should work, have you killed the firewall states ?
There aren't any hits against that firewall rule.
-
Doesn't matter what you put on your interfaces since its being blocked by the BLOCK ALL IPv6 rule you have enabled.
That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it.
-
@johnpoz said in How to hide ipv6 entries in firewall logs?:
That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it
Drat didn't notice 1000000003, good spot John
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
We don't use IPv6 in our network.
Do you control all the devices in your network? If so and your not wanting to use IPv6 I would actually try and turn it off at the devices. Windows is one chatty kathy that when it comes to noise - out of the box it just doubles all that noise via IPv6. And if your not using it - its pointless to leave all that noise out there..
Simple reg entry or can be disabled in group policy.. Prob a good thing to see the noise so you can turn it off at the source ;)
Linux is not anywhere as chatty... You prob won't hear a peep out of it if you don't have IPv6 at the router.
547 is dhcpv6 - and 5355 is LLMNR, NOISE!!! if your not actually using it. You for sure can turn that off on ipv6.. And that screams windows clients ;)
-
I have checked "Allow IPv6", now I see this entries in firewall logs:
Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
I have checked "Allow IPv6", now I see this entries in firewall logs:
Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.Status -> System Logs -> Settings
Guessing you had these ticked.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
Then don't allow it
If you do not have Allow rules then ALL is blocked - all interfaces have default deny both ipv6 and Ipv4.. not allowed... Only things that are allowed are hidden like dhcp if you enable dhcp on that interface.. This is just common sense rules because most users are idiots ;) And if they enabled dhcp and it didn't work they would have a no clue how to create the firewall rules ;) I personally think they should be shown.. But that is another topic.
All interfaces will block traffic if not allowed... Not blocking IPv6 just removes that stupid rule :) Then as long as you don't allow it or you put in a block rule on your own.. And don't log then no iPv6 will be allowed or working..
But again - vs just not logging it at the the firewall doesn't remove the NOISE.. your just not logging it - still traffic on your network for no reason if your not using... Why should a client continue to bang its head asking for dhcpv6 if you don't have any dhcpv6 running. Why should it bother with LLMNR if nobody is using it?
Security 101 is do not enable protocols and services your not using. If your NOT using ipv6 - then why should it be enabled and why should it be sending out just craptastic amounts of noise? Turn it off at the client level if you have control of the clients and they allow for it. You could for sure run into some shitty iot device that doesn't allow you to disable something like ipv6.. But from that traffic I would guess windows boxes..
-
Thank you. Now there are no ipv6 logs.
-
Guys. There are two screenshots pointing to the same solution. One suggested by NogBadTheBad and second emammadov so i'm confused which one resolves seeing 1000000003 in firewall log?
My ipv6 is disabled in the general - network settings.
Should i just uncheck: "Log packets matched from default block rules in the ruleset" ???
-
If you disable IPv6 on the firewall you will see IPv6 from clients on the network hitting the lan interface.
If you don’t want to see IPv6 in the logs block them and set the rule not to log if you want to see the IPv4 default deny blocks.
Otherwise set don’t log the default deny.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
We don't use IPv6 in our network....
"You" don't use IPv6. Me neither. No one does actually.
But your systems, these days, started to use the default IPv6 for about everything - and if that doesn't work out, they fall back to IPv4.
-
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.
Ha.
Sad but (close to) true.
-
As far as Rango's question about the screenshots, they're the same. emammadov's shows more of the options on the same page, while nogbadthebad's shows just the relevant options for this case.
As far as this goes...
@stephenw10 said in How to hide ipv6 entries in firewall logs?:
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.Ha.
Sad but (close to) true.I actually beg to differ on this. In mid-2016, Comcast (one of the largest ISPs in the US) saw about 30% of its internet-bound traffic using IPv6. They were expecting to reach 50% by the end of 2016 (no confirmation that they reached that number though) [source link]. I'm sure it's gone up over the past two years, especially as other services and sites are adopting IPv6.
Also, Google publishes statistics showing what percentage of traffic to its services uses IPv6. From the US, over 1/3 of traffic to Google services is over IPv6. Worldwide, it's been fluctuating between 23-25% depending on the day of the week. [source link]
So "no one uses IPv6" is very much false. It is a significant amount of traffic on the internet these days.
-
Users not understanding they are using doesn't really count if you ask me.. Yeah they default windows to prefer IPv6... And then they put in like 3 different methods to get IPv6 tunneled over IPv4..
Yeah this boost the numbers up of ipv6 traffic..
Name 1 service that requires IPv6 to connect to that is main stream - just 1!
There was hope with console games able to use IPv6 for their P2P play, etc.. Where is this? Really?
Yeah comcast deployed IPv6 -- I was on it, it was CRAP! if you ask me... I just used HE tunnel vs comcast rollout since ;) And my new ISP doesn't have it, nor do they list any plans on rolling it out.
You know where it has a foothold - and more than likely accounts for most of the traffic... Your smartphone!!! Billions of the devices.. So yeah it makes sense to give them IPv6 addresses.. Guess what sure dns and stuff like that, and sure some sites are available ipv4 and ipv6 so they hit the IPv6 address of the site. But quite often they have to run it through a gateway so can connect to a site/service that is only IPv4.