Firewall Log Overrun with IPv6 Errors I can't get rid of

johnpoz

can you not just uncheck log default rules.. Then just create your own rule that does the logging you want.  For example I just log SYN traffic on my wan, I don't want see all the other noise like UDP..

chrcoluk

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

chpalmer

@chrcoluk:

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

And that can be dangerous in many ways.  There are many of us that would disagree that the default rule should not log.  I personally do want it logging.

It is easy enough to do what has already been described.  But for those who do better with pictures..

chpalmer

Put that rule on WAN and above any other IPv6 rule you might have built.

guardian

@chpalmer:

It is easy enough to do what has already been described.  But for those who do better with pictures..

I appreciate your comment, but that doesn't work… you have to enable IPv6 and then do your own blocking to be able to do that. 
Go to the shell and type pfctl -vvsr - You can see that the rules generated by the GUI are at the top, so you can't do anything about them.

@chrcoluk:

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

Right on both counts.

In a ideal world there would be an disable/disable ipv6 logging beside the box where ipv6 is disabled.

I was thinking that it would be great if there was a way to store Advanced Log Filter profiles that allowed removing things from the output.  Best of both worlds (other than disk space/iops on the storage media)… It's there if needed, but all the noise is hidden (but each user gets to choose what is noise for a given use case.

Since this isn't something that is going to be a priority for the devs anytime soon, I was thinking that my best solution might be to pipe the output of the shell menu command '10) Filter Logs' to a python script and I'll display what I want the way I want it.

Anybody any ideas how to do this?  (Maybe this is a question for a new thread/different part of the forum.)

johnpoz

If you enable IPv6, and then do not actually enable it on any interface.  Its the same as block rule.. The default deny will block it.  So then you can then create any rule you want to block and not log.

I have all the default logs off, and log what I want to see.  But I can turn them back on and see what happens when you use the block IPv6 rule.. But my guess would be that he is correct and the rule that blocks and logs it is triggered before any rule he can put in the gui.

chpalmer

@guardian:

you have to enable IPv6 and then do your own blocking to be able to

Anybody any ideas how to do this?

Sorry I should have said that but figured you would get the jist..

Go back to that box you checked and read the whole option.. maybe they need to re-label that box but all it does is block ipv6 traffic. Doe not actually stop the box or anything connected to it from trying.  Nevermind renaming as it already details what it does.

Learn the rule structure..  learn to love the rules structure.

Edit-  Looking at the "system/advanced/networking" tab..

Allow IPv6  All IPv6 traffic will be blocked by the firewall unless this box is checked
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.

Pretty self explanatory..  All your doing by clicking the box is making sure you can't override the default block rule already in place.

Then as Johnpoz said..

If you enable IPv6, and then do not actually enable it on any interface.  Its the same as block rule..

Begins to make sense… right?  Your better off going to each interface and setting IPv6 as None. And then also go to each workstation and set them as None.

But seriously- put the tin foil hat away and build an IPv6 block rule for each interface, never put any rule above that and you will never have anything to worry about. If you do that you will not have to worry about any device trying to sneak IPv6 past your firewall, thus you can leave all the client IPv6 active.

Another question..  Do you even have a routable IPv6 address on your WAN?

guardian

Thanks  Chpalmer….

@chpalmer:

Go back to that box you checked and read the whole option.. maybe they need to re-label that box but all it does is block ipv6 traffic. Doe not actually stop the box or anything connected to it from trying.  Nevermind renaming as it already details what it does.

Learn the rule structure..  learn to love the rules structure.

Edit-  Looking at the "system/advanced/networking" tab..

Allow IPv6  All IPv6 traffic will be blocked by the firewall unless this box is checked
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.

Pretty self explanatory..  All your doing by clicking the box is making sure you can't override the default block rule already in place.

That makes it much much clearer - for some reason I missed the NOTE.  I don't remember it being there when I first set things up several months ago (v2.3.RC?).  Maybe it was and I just forgot.  It was only once Johnpoz gave me pfctl -vvsr so I could see what is going on under the hood that the light went on.

@chpalmer:

Then as Johnpoz said..

If you enable IPv6, and then do not actually enable it on any interface.  Its the same as block rule..

Begins to make sense… right?  Your better off going to each interface and setting IPv6 as None. And then also go to each workstation and set them as None.

This is a point that I missed… if every interface is set to IPv4 only... no way for IPv6 to get in.

@chpalmer:

Another question..  Do you even have a routable IPv6 address on your WAN?

Since I'm just testing, all I have is one box connected to pfSense.  It's Linux, and I just figured out how to disable IPv6 yesterday.  I was using a Windows box and it is was creating IPv6 (couldn't figure out how to turn it off)… Also a ton of Torredo... They sure have that protocol well named... it does burrow like a parasitic worm!

At this point, I don't THINK so... but I'm not sure... I've been doing my best to get it turned off.

I haven't got a switch YET that has port snooping, but I've got an SG-300 on order.

johnpoz

On windows the simple way to disable ipv6 and all those nonsense isatap, teredo, 6to4 is just simple reg entry

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

Now you get a clean ipconfig /all as well ;)

> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : i5-win
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : local.lan

Ethernet adapter Local:

   Connection-specific DNS Suffix  . : local.lan
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, January 15, 2017 8:15:14 AM
   Lease Expires . . . . . . . . . . : Friday, January 20, 2017 8:15:13 AM
   Default Gateway . . . . . . . . . : 192.168.9.253
   DHCP Server . . . . . . . . . . . : 192.168.9.253
   DNS Servers . . . . . . . . . . . : 192.168.3.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

guardian

Thanks… That also helps alot!