add Enabling IPv6 Source Address Validation support

yon 0 · Jan 29, 2021, 8:01 AM

i have no find about this how do it Enabling IPv6 Source Address Validation support in pfsense system?

After testing, I am still vulnerable to false ip attacks. And received notification of security breach email.

from them sent mail. https://imaal.byu.edu/dsav/faq.html

Anti-spoofing Rules
pfSense uses the antispoof feature in pf to block spoofed traffic. This provides Unicast Reverse Path Forwarding (uRPF) functionality as defined in RFC 3704. The firewall checks each packet against its routing table, and if a connection attempt comes from a source IP address on an interface where the firewall knows that network does not reside, it is dropped. For example, a packet coming in WAN with a source IP address of an internal network is dropped. Anything initiated on the internal network with a source IP address that does not reside on the internal network is dropped.

viktor_g · Feb 4, 2021, 7:17 AM

Please create a feature request https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html

see pf.conf(4):

Addresses can be specified in CIDR notation (matching netblocks),
	   as symbolic host names, interface names or interface	group names,
	   or as any of	the following keywords:

	   any		   Any address.
	   no-route	   Any address which is	not currently routable.
	   urpf-failed	   Any source address that fails a unicast reverse
			   path	forwarding (URPF) check, i.e. packets coming
			   in on an interface other than that which holds the
			   route back to the packet's source address.
	   <table>	   Any address that matches the	given table.

yon 0 · Feb 4, 2021, 3:44 PM

@viktor_g

i done it. https://redmine.pfsense.org/issues/11369