Gotcha: Default-allow rules also apply to IPv6 traffic
-
Note: This post applies to pfSense 1.2. I have not tried this on pfSense 1.2.1 and 1.2.2, since that'd mean doing a remote upgrade on a production machine that is currently about 600 kilometers away from my current location. I have also not tried this on pfSense 2.0 – same reason. It's a production machine that I don't want to futz with without reason.
Anyway...
The FreeBSD kernel that is supplied with pfSense 1.2 has IPv6 activated. That means that it automatically assigns a link-local IP address and also (untested) would probably assign a routable IP address if it hears any IPv6 router advertisements.
This is a problem for anyone who has a default-allow on the end of their ruleset. We have a DMZ setup in that way, for example - a default-allow on the end, and traffic into our private networks is explicitly denied. However, with some playing around with IPv6, I realized that it was possible for the machine on our DMZ to contact the SSH and to ping (I did not test web admin) through the link-local IPv6 address.
After some discussions on the IRC channel a workaround was found -- to change the default-allow rule so that it uses destination-address as an alias "any_ipv4", and then to define the alias any_ipv4 to contain the networks 0.0.0.0/1 and 128.0.0.0/1 (pfsense doesn't allow a zero-length address prefix - go figure). By the way, using any_ipv4 to block any non-ipv4 traffic as the first rule of a ruleset does not work. (Go figure, again.)