How to hide ipv6 entries in firewall logs?
-
Hello,
I frequently look at Status / System Logs / Firewall. There are many ipv6 logs there. How can I hide them and show only ipv4 logs? And by the way, there is not an option to select which interfaces logs to show (WAN or LAN).
-
There is a line above the log data that says Advanced Log Filter that when expanded allows you to filter the logs in a variety of ways. You can enter a specific interface, look for certain ports or IP addresses, and enter strings (I think some fields might even accept regex).
-
This post is deleted! -
Thank you very much.
-
@virgiliomi said in How to hide ipv6 entries in firewall logs?:
e is a line above the log data that says Advanced Log Filter that when expanded allows you to filter the logs in a variety of ways. You can enter a specific interface, look for certain ports or IP addresses, and enter strings (I think some fields might even accept regex).
If you don't run IPv6 you could always create two drop rules at the bottom of your interface rules and don't log IPv6.
-
We don't use IPv6 in our network. We have this same rule in our pfsense. But I see these kind of logs in firewall logs.
-
Try changing the IPv6 src to any rather than LAN2 net.
-
@nogbadthebad said in How to hide ipv6 entries in firewall logs?:
Try changing the IPv6 src to any rather than LAN2 net.
This will likely fix it as it’s likely that you’re seeing the logs with multicast addresses, which aren’t LAN2 addresses.
-
Which one should I choose?
-
Any
-
I did as you said. But it didn't help. There are ipv6 logs running in firewall logs.
Do I always have to choose "any" as source address by default?
-
Yes, you’ll need to choose “any” as the source. Link-local (fe80:) and multicast IPv6 addresses don’t meet the “LAN2 net” address range. That’s why those addresses still show up in the firewall logs for the LAN2 interface.
-
I have chosen "any" as the source. I am attaching photos. Please have a look and let me know where I am wrong. By the way, I have unchecked "Allow IPv6" and checked "Prefer IPv4 over IPv6" in System / Advanced / Networking.
-
Try doing the same from your other LAN interfaces.
-
Other interfaces has the same settings as others.
I have WAN, LAN, LAN2, LAN3, OPENVPN, IPSEC. -
Hmm should work, have you killed the firewall states ?
There aren't any hits against that firewall rule.
-
Doesn't matter what you put on your interfaces since its being blocked by the BLOCK ALL IPv6 rule you have enabled.
That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it.
-
@johnpoz said in How to hide ipv6 entries in firewall logs?:
That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it
Drat didn't notice 1000000003, good spot John
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
We don't use IPv6 in our network.
Do you control all the devices in your network? If so and your not wanting to use IPv6 I would actually try and turn it off at the devices. Windows is one chatty kathy that when it comes to noise - out of the box it just doubles all that noise via IPv6. And if your not using it - its pointless to leave all that noise out there..
Simple reg entry or can be disabled in group policy.. Prob a good thing to see the noise so you can turn it off at the source ;)
Linux is not anywhere as chatty... You prob won't hear a peep out of it if you don't have IPv6 at the router.
547 is dhcpv6 - and 5355 is LLMNR, NOISE!!! if your not actually using it. You for sure can turn that off on ipv6.. And that screams windows clients ;)
-
I have checked "Allow IPv6", now I see this entries in firewall logs:
Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
I have checked "Allow IPv6", now I see this entries in firewall logs:
Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.Status -> System Logs -> Settings
Guessing you had these ticked.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
Then don't allow it
If you do not have Allow rules then ALL is blocked - all interfaces have default deny both ipv6 and Ipv4.. not allowed... Only things that are allowed are hidden like dhcp if you enable dhcp on that interface.. This is just common sense rules because most users are idiots ;) And if they enabled dhcp and it didn't work they would have a no clue how to create the firewall rules ;) I personally think they should be shown.. But that is another topic.
All interfaces will block traffic if not allowed... Not blocking IPv6 just removes that stupid rule :) Then as long as you don't allow it or you put in a block rule on your own.. And don't log then no iPv6 will be allowed or working..
But again - vs just not logging it at the the firewall doesn't remove the NOISE.. your just not logging it - still traffic on your network for no reason if your not using... Why should a client continue to bang its head asking for dhcpv6 if you don't have any dhcpv6 running. Why should it bother with LLMNR if nobody is using it?
Security 101 is do not enable protocols and services your not using. If your NOT using ipv6 - then why should it be enabled and why should it be sending out just craptastic amounts of noise? Turn it off at the client level if you have control of the clients and they allow for it. You could for sure run into some shitty iot device that doesn't allow you to disable something like ipv6.. But from that traffic I would guess windows boxes..
-
Thank you. Now there are no ipv6 logs.
-
Guys. There are two screenshots pointing to the same solution. One suggested by NogBadTheBad and second emammadov so i'm confused which one resolves seeing 1000000003 in firewall log?
My ipv6 is disabled in the general - network settings.
Should i just uncheck: "Log packets matched from default block rules in the ruleset" ???
-
If you disable IPv6 on the firewall you will see IPv6 from clients on the network hitting the lan interface.
If you don’t want to see IPv6 in the logs block them and set the rule not to log if you want to see the IPv4 default deny blocks.
Otherwise set don’t log the default deny.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
We don't use IPv6 in our network....
"You" don't use IPv6. Me neither. No one does actually.
But your systems, these days, started to use the default IPv6 for about everything - and if that doesn't work out, they fall back to IPv4.
-
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.
Ha.
Sad but (close to) true.
-
As far as Rango's question about the screenshots, they're the same. emammadov's shows more of the options on the same page, while nogbadthebad's shows just the relevant options for this case.
As far as this goes...
@stephenw10 said in How to hide ipv6 entries in firewall logs?:
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.Ha.
Sad but (close to) true.I actually beg to differ on this. In mid-2016, Comcast (one of the largest ISPs in the US) saw about 30% of its internet-bound traffic using IPv6. They were expecting to reach 50% by the end of 2016 (no confirmation that they reached that number though) [source link]. I'm sure it's gone up over the past two years, especially as other services and sites are adopting IPv6.
Also, Google publishes statistics showing what percentage of traffic to its services uses IPv6. From the US, over 1/3 of traffic to Google services is over IPv6. Worldwide, it's been fluctuating between 23-25% depending on the day of the week. [source link]
So "no one uses IPv6" is very much false. It is a significant amount of traffic on the internet these days.
-
Users not understanding they are using doesn't really count if you ask me.. Yeah they default windows to prefer IPv6... And then they put in like 3 different methods to get IPv6 tunneled over IPv4..
Yeah this boost the numbers up of ipv6 traffic..
Name 1 service that requires IPv6 to connect to that is main stream - just 1!
There was hope with console games able to use IPv6 for their P2P play, etc.. Where is this? Really?
Yeah comcast deployed IPv6 -- I was on it, it was CRAP! if you ask me... I just used HE tunnel vs comcast rollout since ;) And my new ISP doesn't have it, nor do they list any plans on rolling it out.
You know where it has a foothold - and more than likely accounts for most of the traffic... Your smartphone!!! Billions of the devices.. So yeah it makes sense to give them IPv6 addresses.. Guess what sure dns and stuff like that, and sure some sites are available ipv4 and ipv6 so they hit the IPv6 address of the site. But quite often they have to run it through a gateway so can connect to a site/service that is only IPv4.
-
I agree, the figures don't lie..... but the stats may be misleading. For example what percentage of that is actual end users?
I was being partly facetious yet it still amazes me how few IPv6 tickets we see. Perhaps that is biased, folks who use v6 generally have a better understanding and are less likely to have issues?
Steve
-
@nogbadthebad Thanks guys for your help and input. All my clients pcs have ipv6 unchecked in their network cards so there is NO client with ipv6 broadcasting anything. From what i've read there are dns leaks via ipv6 so that's why.
I have went ahead and unchecked this: "Log packets matched from default block rules in the ruleset" and i no longer see ipv6 but that also turns off ipv4 logging right?
However i have ipv4 logging setup in all my rules and they do show up in the firewall log now. So i think everything is working right correct?
I just want to make sure i'm not missing some ipv4 logging by unchecking this option: "Log packets matched from default block rules in the ruleset"
I think i'm NOT missing anything as all rules have ipv4 log reporting checked. Is this correct setup? Just wanna makes sure as i start blocking ~500 host via snort with rule sets and i verified most of them via abuseipdb website.
It's funny most of them are from russia and repeated offenders. I also set it up so never unblock those host instead of time interval removal. Please let me know if this setup is correct or there is better setup to be setup?
Thank you in advance. -
Yes that does stop logging default IPv4 packets also which you probably do want to see.
If you uncheck the 'Allow IPv6' box then the system adds a firewall rule to block and log all IPv6 traffic and it's above the user rules in the ruleset. So you need to leave that box checked and then add your own user block IPv6 rules without logging enabled.
Steve
-
@stephenw10 Now i get it. I just enabled ipv6 in networking and logging in firewall settings and created rules to block ipv6 totally without any logging. Now logs look much better. Those logs are great learning tool. Thank you kindly ALL for clarification.