How to hide ipv6 entries in firewall logs?


  • Galactic Empire

    Any



  • I did as you said. But it didn't help. There are ipv6 logs running in firewall logs.
    Do I always have to choose "any" as source address by default?
    0_1539442611590_Screenshot from 2018-10-13 18-54-52.png



  • Yes, you’ll need to choose “any” as the source. Link-local (fe80:) and multicast IPv6 addresses don’t meet the “LAN2 net” address range. That’s why those addresses still show up in the firewall logs for the LAN2 interface.



  • I have chosen "any" as the source. I am attaching photos. Please have a look and let me know where I am wrong. By the way, I have unchecked "Allow IPv6" and checked "Prefer IPv4 over IPv6" in System / Advanced / Networking.

    0_1539586327369_1.jpg
    0_1539586333424_2.jpg
    0_1539586339149_3.jpg
    0_1539586344646_4.jpg


  • Galactic Empire

    Try doing the same from your other LAN interfaces.



  • Other interfaces has the same settings as others.
    I have WAN, LAN, LAN2, LAN3, OPENVPN, IPSEC.


  • Galactic Empire

    Hmm should work, have you killed the firewall states ?

    There aren't any hits against that firewall rule.


  • LAYER 8 Global Moderator

    Doesn't matter what you put on your interfaces since its being blocked by the BLOCK ALL IPv6 rule you have enabled.

    0_1539597335020_blockALL.png

    0_1539597274368_blockallIPv6.png

    That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it.


  • Galactic Empire

    @johnpoz said in How to hide ipv6 entries in firewall logs?:

    That is what is logging it - I do not believe you can enable that and not log off the top of my head.. if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it.. If your seeing stuff being blocked by the default log, then as stated create an IPv6 block rule for any IPv6 and don't log it

    Drat didn't notice 1000000003, good spot John


  • LAYER 8 Global Moderator

    @emammadov said in How to hide ipv6 entries in firewall logs?:

    We don't use IPv6 in our network.

    Do you control all the devices in your network? If so and your not wanting to use IPv6 I would actually try and turn it off at the devices. Windows is one chatty kathy that when it comes to noise - out of the box it just doubles all that noise via IPv6. And if your not using it - its pointless to leave all that noise out there..

    Simple reg entry or can be disabled in group policy.. Prob a good thing to see the noise so you can turn it off at the source ;)

    Linux is not anywhere as chatty... You prob won't hear a peep out of it if you don't have IPv6 at the router.

    547 is dhcpv6 - and 5355 is LLMNR, NOISE!!! if your not actually using it. You for sure can turn that off on ipv6.. And that screams windows clients ;)



  • I have checked "Allow IPv6", now I see this entries in firewall logs:

    Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP

    You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it

    It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.


  • Galactic Empire

    @emammadov said in How to hide ipv6 entries in firewall logs?:

    I have checked "Allow IPv6", now I see this entries in firewall logs:
    Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
    You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
    It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.

    Status -> System Logs -> Settings

    0_1539598961397_Screenshot 2018-10-15 at 11.22.22.png

    Guessing you had these ticked.


  • LAYER 8 Global Moderator

    @emammadov said in How to hide ipv6 entries in firewall logs?:

    Then don't allow it

    If you do not have Allow rules then ALL is blocked - all interfaces have default deny both ipv6 and Ipv4.. not allowed... Only things that are allowed are hidden like dhcp if you enable dhcp on that interface.. This is just common sense rules because most users are idiots ;) And if they enabled dhcp and it didn't work they would have a no clue how to create the firewall rules ;) I personally think they should be shown.. But that is another topic.

    All interfaces will block traffic if not allowed... Not blocking IPv6 just removes that stupid rule :) Then as long as you don't allow it or you put in a block rule on your own.. And don't log then no iPv6 will be allowed or working..

    But again - vs just not logging it at the the firewall doesn't remove the NOISE.. your just not logging it - still traffic on your network for no reason if your not using... Why should a client continue to bang its head asking for dhcpv6 if you don't have any dhcpv6 running. Why should it bother with LLMNR if nobody is using it?

    Security 101 is do not enable protocols and services your not using. If your NOT using ipv6 - then why should it be enabled and why should it be sending out just craptastic amounts of noise? Turn it off at the client level if you have control of the clients and they allow for it. You could for sure run into some shitty iot device that doesn't allow you to disable something like ipv6.. But from that traffic I would guess windows boxes..



  • Thank you. Now there are no ipv6 logs.

    0_1539601687040_1.jpg



  • Guys. There are two screenshots pointing to the same solution. One suggested by NogBadTheBad and second emammadov so i'm confused which one resolves seeing 1000000003 in firewall log?

    My ipv6 is disabled in the general - network settings.

    Should i just uncheck: "Log packets matched from default block rules in the ruleset" ???


  • Galactic Empire

    If you disable IPv6 on the firewall you will see IPv6 from clients on the network hitting the lan interface.

    If you don’t want to see IPv6 in the logs block them and set the rule not to log if you want to see the IPv4 default deny blocks.

    Otherwise set don’t log the default deny.



  • @emammadov said in How to hide ipv6 entries in firewall logs?:

    We don't use IPv6 in our network....

    "You" don't use IPv6. Me neither. No one does actually.
    But your systems, these days, started to use the default IPv6 for about everything - and if that doesn't work out, they fall back to IPv4.
    ☺


  • Netgate Administrator

    @gertjan said in How to hide ipv6 entries in firewall logs?:

    No one does actually.

    Ha. 😉

    Sad but (close to) true.



  • As far as Rango's question about the screenshots, they're the same. emammadov's shows more of the options on the same page, while nogbadthebad's shows just the relevant options for this case.

    As far as this goes...

    @stephenw10 said in How to hide ipv6 entries in firewall logs?:

    @gertjan said in How to hide ipv6 entries in firewall logs?:
    No one does actually.

    Ha. 😉
    Sad but (close to) true.

    I actually beg to differ on this. In mid-2016, Comcast (one of the largest ISPs in the US) saw about 30% of its internet-bound traffic using IPv6. They were expecting to reach 50% by the end of 2016 (no confirmation that they reached that number though) [source link]. I'm sure it's gone up over the past two years, especially as other services and sites are adopting IPv6.

    Also, Google publishes statistics showing what percentage of traffic to its services uses IPv6. From the US, over 1/3 of traffic to Google services is over IPv6. Worldwide, it's been fluctuating between 23-25% depending on the day of the week. [source link]

    So "no one uses IPv6" is very much false. It is a significant amount of traffic on the internet these days.


  • LAYER 8 Global Moderator

    Users not understanding they are using doesn't really count if you ask me.. Yeah they default windows to prefer IPv6... And then they put in like 3 different methods to get IPv6 tunneled over IPv4..

    Yeah this boost the numbers up of ipv6 traffic..

    Name 1 service that requires IPv6 to connect to that is main stream - just 1!

    There was hope with console games able to use IPv6 for their P2P play, etc.. Where is this? Really?

    Yeah comcast deployed IPv6 -- I was on it, it was CRAP! if you ask me... I just used HE tunnel vs comcast rollout since ;) And my new ISP doesn't have it, nor do they list any plans on rolling it out.

    You know where it has a foothold - and more than likely accounts for most of the traffic... Your smartphone!!! Billions of the devices.. So yeah it makes sense to give them IPv6 addresses.. Guess what sure dns and stuff like that, and sure some sites are available ipv4 and ipv6 so they hit the IPv6 address of the site. But quite often they have to run it through a gateway so can connect to a site/service that is only IPv4.


  • Netgate Administrator

    I agree, the figures don't lie..... but the stats may be misleading. For example what percentage of that is actual end users?

    I was being partly facetious yet it still amazes me how few IPv6 tickets we see. Perhaps that is biased, folks who use v6 generally have a better understanding and are less likely to have issues?

    Steve



  • @nogbadthebad Thanks guys for your help and input. All my clients pcs have ipv6 unchecked in their network cards so there is NO client with ipv6 broadcasting anything. From what i've read there are dns leaks via ipv6 so that's why.

    I have went ahead and unchecked this: "Log packets matched from default block rules in the ruleset" and i no longer see ipv6 but that also turns off ipv4 logging right?

    However i have ipv4 logging setup in all my rules and they do show up in the firewall log now. So i think everything is working right correct?

    I just want to make sure i'm not missing some ipv4 logging by unchecking this option: "Log packets matched from default block rules in the ruleset"

    I think i'm NOT missing anything as all rules have ipv4 log reporting checked. Is this correct setup? Just wanna makes sure as i start blocking ~500 host via snort with rule sets and i verified most of them via abuseipdb website.

    It's funny most of them are from russia and repeated offenders. I also set it up so never unblock those host instead of time interval removal. Please let me know if this setup is correct or there is better setup to be setup?
    Thank you in advance.


  • Netgate Administrator

    Yes that does stop logging default IPv4 packets also which you probably do want to see.

    If you uncheck the 'Allow IPv6' box then the system adds a firewall rule to block and log all IPv6 traffic and it's above the user rules in the ruleset. So you need to leave that box checked and then add your own user block IPv6 rules without logging enabled.

    Steve



  • @stephenw10 Now i get it. I just enabled ipv6 in networking and logging in firewall settings and created rules to block ipv6 totally without any logging. Now logs look much better. Those logs are great learning tool. Thank you kindly ALL for clarification.


Log in to reply