IPv6: doing something wrong OR bug?
-
I've got a device with 4 ethernet adapters + wifi.
I only enabled IPv6 on WAN and 2 adapters, using track interface. This works perfect for me, don't want / need IPv6 on the other subnets.
I've installed pfblockerNG (version 2.1.4_9)Under firewall / pfblockerNG / ipv6, I've added a list, which is downloaded daily from my webserver, containing a list with IPv6 addresses I want to block.
So far so good, the list with IP addresses is downloaded, the content of the alias (firewall / aliases / URLs) matches the list on the webserver
problem 1: pfblockerNG now creates firewall rules on ALL of the interfaces, I would expect the rules to be created only on the interfaces that have an IPv6 address.
problem 2: pfblockerNG creates rules that match "Address Family" IPv4.
On the WAN adapter, the source is "single host or alias", the list with IPv6 addresses, the destination is any
On the other adapters, the source is any, the destination is "single host or alias", the list with IPv6 addresses
Since the rules are all targeting "Address Family" IPv4, the rule never applies to anything.Doing something wrong here, or is this a bug?
-
Uninstall pfBlockerNG and install pfBlockerNG-devel. This has been fixed there.
-
Almost a year later, running the latest version of pfblockerNG (system / packagemanager). The problem still exists in the production version of pfblockerNG.
Any change of getting this fixed, whitout having to install a developer package?
A new IPv4 and IPv6 list has been published on GitHub, in an attempt to fight the DOH malware, that recently (zero day) surfaced
edit
if a specific interface hasn't been selected oninbound firewall rulesandoutbound firewall rules, no rules are created, which is correct
if a specific interface has only an IPv4 address and no IPv6 address, rules for both IPv4 and IPv6 are created
all rules, regardless if they are created on the IPv4 or IPv6 category (tab) are crated withprotocol IPv4, see screenshot
/edit -
@jpgpi250 said in IPv6: doing something wrong OR bug?:
Any change of getting this fixed, whitout having to install a developer package?
pfBlocker-devel isn't that much a developer package as more or less the "next" version of pfBlockerNG.
But if you want to fix / workaround that problem in the current stable, don't use "create rules" in the IP list sections but instead let pfBlocker only create Aliases (like pfB_IPv4web) and create the rules yourself. That way you can also rearrange them as needed and pfBlocker won't interfere with the sorting or rule configuration itself but will update and refresh those aliases and IP lists as needed.Greets
Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
So when will pfBlocker-devel move to "not-devel" ?
Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following -
@JeGr
Thank you for this (don't use " create rules"), this is a good work around for the problem, although a little bit more work.I'm only using the IP blocking feature of pfblockerNG, using some internet lists (talos, Firehole and DOH). Would I benefit from using the "devel" package instead of the original one, or would this be an overkill
Thank you for your time and effort.
-
@jpgpi250 said in IPv6: doing something wrong OR bug?:
Would I benefit from using the "devel" package instead of the original one, or would this be an overkill
It's a good bit more current and has many lists already predefined so you can just get there, click add and have a pretty decent starting point. Also other features und bugs have been adresses, so I'd guess "yes" you'd benefit already.
@maverickws said in IPv6: doing something wrong OR bug?:
Are people supposed to guess they must install a -devel package instead of simply releasing into production? Am I missing something? Sorry but I'm not following
That is an answer only @BBcan177 can give you when and how he'll fade out the current stable in favor of the devel version.
Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
@JeGr I shouted 'victory' to soon, or I'm missing something.
I assumed, I would simply select no interfaces in 'General Settings' / 'Interface/Rules configuration, but it appears you have to select at least one interface. What am I missing.
Thanks a lot for your help.
edit
never mind / found it: List action: Alias Native, Looks like the rule isn't created with this option, only the alias
/edit
