ICMPv6 incorrectly blocked by default rule

  • I have configured block all-IPv6 rules at the bottom of the 3 FW rule sections: Floating, WAN, & LAN.  All three rules are all encompassing meaning they match ANY source, ANY destination, and ANY protocol.  And finally, all set to NOT log hits.

    Despite this, I still see a bunch of log entries for blocked ICMPv6 traffic on both the WAN & LAN interfaces due to the implicit block rule.  I believe it is the implicit rule because (1) if I disable the logging of hits to implicit block rules, the log entries stop; (2) the rule name shown in the log is not one of the names I entered in my explicit rules; and (3) the little torso icon is NOT present in these log entries.

    To confirm this, I then added new block rules on both the WAN & LAN interfaces that specifically targets ICMPv6(any) - no joy…the log entries persist on both interfaces.

    I really want to keep the log for default rule hits as this is a good trap to discover any potential rule leakage.  And while the logging part of this isn't really a biggie, I do wonder why the FW appears to not be blocking traffic as it should be.

    Couple of final points: (a) The rule ID for both LAN & WAN log entries is the same; (b) the only rule that shows any evaluations is the block all-v6 floating rule - all other block v6 rules show no evaluations at all.

    Let me know your thoughts - thanks.

  • Rebel Alliance Developer Netgate

    That isn't the default IPv6 block, it's the "Block all IPv6" rule controlled by the master IPv6 on/off switch.

    System > Advanced, Networking tab, check "Allow IPv6" and then your rules will be respected.

  • @jimp - that did it - many thanks.

    Also, is there anyway to have that ipv6-master switch not log traffic?

Log in to reply