Firewall Log Overrun with IPv6 Errors I can't get rid of

guardian

My firewall log is filling up with a log of IPv6 Errors that I can't get rid of. I tried putting drop rules (with the log box unchecked) in Floating Rules, LAN and WAN and I still keep getting these errors. Any suggestions as to what I can do to keep all these log entries?

Firewall_Log_IPv6.jpg_thumb

Floating_Rules_IPv6.jpg_thumb

Firewall_WAN_Rules_IPv6.jpg_thumb

Firewall_LAN_Rules_IPv6.jpg_thumb

doktornotor

How about enabling IPv6 on the box?

guardian

I guess I should have mentioned that I don't currently need/want IPv6… so far I can get away without it.
(I'm just about ready for the rubber room setting up and securing IPv4!)

doktornotor your suggestion to look at pfctl -vvsr output. showed me that the rule:
https://forum.pfsense.org/index.php?topic=123950.msg685268#msg685268

@5(1000000003) block drop in log quick inet6 all label "Block all IPv6"
[ Evaluations: 58461 Packets: 4893 Bytes: 1025925 States: 0 ]

is above all the rules created by the GUI. Is there some GUI option that I need to change?
I've looked and can't see anything.

Any suggestions would be much appreciated.

doktornotor

Change what? Please read the checkbox description.

guardian

My log is filling up with messages because of this rule:

@5(1000000003) block drop in log quick inet6 all label "Block all IPv6"

If I understand what is going on, this rule is generated by not enabling IPv6 on the System/Advanced/Networking tab in the GUI.

I don't see any options regarding logging. How can I supress all the messages regarding IPv6. I have no control of the box connected to the WAN interface.

doktornotor

Yes, that rule is by design. Either disable default block rules logging (Status > System Logs > Settings), or produce your own without logging.

guardian

How do I ' produce your own without logging'? There is no way I can get my own rule that high up in the chain.

I assume that means enable IPv6 and stick in a bunch of block rules - correct?

I don't want to turn off all the default rule blocking (just IPv6) since I need them to catch IPv4 problems.

If I understand correctly, I can't edit the rule file since it's built dynamically. Is that correct?

doktornotor

No, I mean add your own rule to block IPv6 without logging. If you cannot figure it out, just enable IPv6 and move on.

guardian

@doktornotor:

No, I mean add your own rule to block IPv6 without logging. If you cannot figure it out, just enable IPv6 and move on.

Sorry I'm not sure what you mean. I'm assuming you mean enable IPv6 and add your own rule without logging. That is what I did… don't like it, because I could make a mistake and delete one of these rules by accident or if I'm reloading the firewall etc.

How can I get a rule above the automatically generated rule? All user rules get put way further down in the list.

Maybe a bit overkill, but here the IPv6 Rules.


root: pfctl -vvsr | grep -i ipv6
@7(1000000105) block drop in log inet6 all label "Default deny rule IPv6"
@8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"
@9(1000000107) pass log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
@10(1000000107) pass log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
@11(1000000107) pass log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
@12(1000000107) pass log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
@13(1000000108) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
@14(1000000108) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
@15(1000000108) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
@16(1000000108) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
@17(1000000108) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
@18(1000000109) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
@19(1000000109) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
@20(1000000109) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
@21(1000000109) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
@22(1000000109) pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
@23(1000000110) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
@24(1000000110) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
@25(1000000110) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
@26(1000000110) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
@27(1000000110) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
@28(1000000111) pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
@29(1000000111) pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
@30(1000000111) pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
@31(1000000111) pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
@32(1000000111) pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
@33(1000000112) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
@34(1000000112) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
@35(1000000112) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
@36(1000000112) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
@37(1000000112) pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
@52(11000) block drop in log quick on em0 from <bogonsv6:79548>to any label "block bogon IPv6 networks from WAN"
@66(1000002663) pass in log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
@67(1000002664) pass out log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
@69(1000002666) pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
@76(1469301982) block drop quick on em0 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs"
@77(1469301982) block drop quick on em1 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs"
@78(1469300765) block drop in quick on em0 inet6 all label "USER_RULE: Noise Block IPv6_WAN-Keeps Log Clean"
@80(1483770230) block drop in quick on em1 inet6 all label "USER_RULE: Noise Block IPv6_LAN-Keeps Log Clean"</bogonsv6:79548>

This one worries me a bit since I don't understand the implication of it:

@69(1000002666) pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"

AFAIK the ICMP rules should be harmless.

KOM

don't like it, because I could make a mistake and delete one of these rules by accident or if I'm reloading the firewall etc.

I have no idea what you mean here. Just create a rule that blocks IPv6. Put it at the top. Set it to not log. That's it.

Also, please don't post your issues in more than one thread.

doktornotor

@KOM:

Also, please don't post your issues in more than one thread.

^^^ That.

guardian

@KOM:

Also, please don't post your issues in more than one thread.

Sorry…. multiple threads were unintentional.... the question changed as I learned more (Other thread was a day or so earlier. I think this thread prompted answers to the first one and 2 got going.... I've made a note on the first thread to continue here since this is the unanswered question. Sorry it was totally unintentional.

@KOM:

Just create a rule that blocks IPv6. Put it at the top. Set it to not log. That's it.

Can I do it in the shell? How?

It can't be done in the GUI. I didn't post everything, but the pfctl output shows an "Anchor" for user rules that is much further down and all GUI rules are after that anchor.

KOM

It can't be done in the GUI.

Why not?

johnpoz

can you not just uncheck log default rules.. Then just create your own rule that does the logging you want. For example I just log SYN traffic on my wan, I don't want see all the other noise like UDP..

chrcoluk

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

chpalmer

@chrcoluk:

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

And that can be dangerous in many ways. There are many of us that would disagree that the default rule should not log. I personally do want it logging.

It is easy enough to do what has already been described. But for those who do better with pictures..

ipv6.png_thumb

chpalmer

Put that rule on WAN and above any other IPv6 rule you might have built.

guardian

@chpalmer:

It is easy enough to do what has already been described. But for those who do better with pictures..

I appreciate your comment, but that doesn't work… you have to enable IPv6 and then do your own blocking to be able to do that.
Go to the shell and type pfctl -vvsr - You can see that the rules generated by the GUI are at the top, so you can't do anything about them.

@chrcoluk:

bear in mind the OP may possibly be in over his head in making a rule himself, I would suggest the default rule should not be set to log blocked traffic, as after all if ipv6 is disabled you are unlikely to want to monitor it.

Right on both counts.

In a ideal world there would be an disable/disable ipv6 logging beside the box where ipv6 is disabled.

I was thinking that it would be great if there was a way to store Advanced Log Filter profiles that allowed removing things from the output. Best of both worlds (other than disk space/iops on the storage media)… It's there if needed, but all the noise is hidden (but each user gets to choose what is noise for a given use case.

Since this isn't something that is going to be a priority for the devs anytime soon, I was thinking that my best solution might be to pipe the output of the shell menu command '10) Filter Logs' to a python script and I'll display what I want the way I want it.

Anybody any ideas how to do this? (Maybe this is a question for a new thread/different part of the forum.)

johnpoz

If you enable IPv6, and then do not actually enable it on any interface. Its the same as block rule.. The default deny will block it. So then you can then create any rule you want to block and not log.

I have all the default logs off, and log what I want to see. But I can turn them back on and see what happens when you use the block IPv6 rule.. But my guess would be that he is correct and the rule that blocks and logs it is triggered before any rule he can put in the gui.

chpalmer

@guardian:

you have to enable IPv6 and then do your own blocking to be able to

Anybody any ideas how to do this?

Sorry I should have said that but figured you would get the jist..

Go back to that box you checked and read the whole option.. ~~maybe they need to re-label that box but~~ all it does is block ipv6 traffic. Doe not actually stop the box or anything connected to it from trying. Nevermind renaming as it already details what it does.

Learn the rule structure.. learn to love the rules structure.

Edit- Looking at the "system/advanced/networking" tab..

Allow IPv6 All IPv6 traffic will be blocked by the firewall unless this box is checked
NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.

Pretty self explanatory.. All your doing by clicking the box is making sure you can't override the default block rule already in place.

Then as Johnpoz said..

If you enable IPv6, and then do not actually enable it on any interface. Its the same as block rule..

Begins to make sense… right? Your better off going to each interface and setting IPv6 as None. And then also go to each workstation and set them as None.

But seriously- put the tin foil hat away and build an IPv6 block rule for each interface, never put any rule above that and you will never have anything to worry about. If you do that you will not have to worry about any device trying to sneak IPv6 past your firewall, thus you can leave all the client IPv6 active.

Another question.. Do you even have a routable IPv6 address on your WAN?