1. Home
  2. pfSense Packages
  3. pfBlockerNG
  4. IPv6: doing something wrong OR bug?

IPv6: doing something wrong OR bug?

  • jpgpi250

    I've got a device with 4 ethernet adapters + wifi.
    I only enabled IPv6 on WAN and 2 adapters, using track interface. This works perfect for me, don't want / need IPv6 on the other subnets.
    I've installed pfblockerNG (version 2.1.4_9)

    Under firewall / pfblockerNG / ipv6, I've added a list, which is downloaded daily from my webserver, containing a list with IPv6 addresses I want to block.

    So far so good, the list with IP addresses is downloaded, the content of the alias (firewall / aliases / URLs) matches the list on the webserver

    problem 1: pfblockerNG now creates firewall rules on ALL of the interfaces, I would expect the rules to be created only on the interfaces that have an IPv6 address.
    problem 2: pfblockerNG creates rules that match "Address Family" IPv4.
    On the WAN adapter, the source is "single host or alias", the list with IPv6 addresses, the destination is any
    On the other adapters, the source is any, the destination is "single host or alias", the list with IPv6 addresses
    Since the rules are all targeting "Address Family" IPv4, the rule never applies to anything.

    Doing something wrong here, or is this a bug?

    0
  • BBcan177
    Moderator

    Uninstall pfBlockerNG and install pfBlockerNG-devel. This has been fixed there.

    0
  • jpgpi250

    Almost a year later, running the latest version of pfblockerNG (system / packagemanager). The problem still exists in the production version of pfblockerNG.

    Any change of getting this fixed, whitout having to install a developer package?

    A new IPv4 and IPv6 list has been published on GitHub, in an attempt to fight the DOH malware, that recently (zero day) surfaced

    edit
    if a specific interface hasn't been selected on inbound firewall rules and outbound firewall rules, no rules are created, which is correct
    if a specific interface has only an IPv4 address and no IPv6 address, rules for both IPv4 and IPv6 are created
    all rules, regardless if they are created on the IPv4 or IPv6 category (tab) are crated with protocol IPv4, see screenshot

    2019_07_04_12_27_12_Microsoft_Edge.png
    /edit

    0
  • JeGr
    LAYER 8 Moderator

    @jpgpi250 said in IPv6: doing something wrong OR bug?:

    Any change of getting this fixed, whitout having to install a developer package?

    pfBlocker-devel isn't that much a developer package as more or less the "next" version of pfBlockerNG.
    But if you want to fix / workaround that problem in the current stable, don't use "create rules" in the IP list sections but instead let pfBlocker only create Aliases (like pfB_IPv4web) and create the rules yourself. That way you can also rearrange them as needed and pfBlocker won't interfere with the sorting or rule configuration itself but will update and refresh those aliases and IP lists as needed.

    Greets

    0 jpgpi250 1 Reply
  • maverickws

    So when will pfBlocker-devel move to "not-devel" ?
    Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following

    0
  • jpgpi250

    @JeGr
    Thank you for this (don't use " create rules"), this is a good work around for the problem, although a little bit more work.

    I'm only using the IP blocking feature of pfblockerNG, using some internet lists (talos, Firehole and DOH). Would I benefit from using the "devel" package instead of the original one, or would this be an overkill

    Thank you for your time and effort.

    0
  • JeGr
    LAYER 8 Moderator

    @jpgpi250 said in IPv6: doing something wrong OR bug?:

    Would I benefit from using the "devel" package instead of the original one, or would this be an overkill

    It's a good bit more current and has many lists already predefined so you can just get there, click add and have a pretty decent starting point. Also other features und bugs have been adresses, so I'd guess "yes" you'd benefit already.

    @maverickws said in IPv6: doing something wrong OR bug?:

    Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following

    That is an answer only @BBcan177 can give you when and how he'll fade out the current stable in favor of the devel version.

    1 jpgpi250 1 Reply
  • jpgpi250

    @JeGr I shouted 'victory' to soon, or I'm missing something.

    I assumed, I would simply select no interfaces in 'General Settings' / 'Interface/Rules configuration, but it appears you have to select at least one interface. What am I missing.

    Thanks a lot for your help.

    edit
    never mind / found it: List action: Alias Native, Looks like the rule isn't created with this option, only the alias
    /edit

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy