How to hide ipv6 entries in firewall logs?
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
I have checked "Allow IPv6", now I see this entries in firewall logs:
Oct 15 14:08:40 WAN Block ULA networks from WAN block fc00::/7 (12000) 10.128.0.2 my public ip ICMP
You said: if you don't want any logging blocked ipv6.. Just undo that setting.. Then don't allow it
It means, I have to check "Allow IPv6" and then uncheck "Allow IPv6"? I have rules in interfaces that block ipv6.Status -> System Logs -> Settings
Guessing you had these ticked.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
Then don't allow it
If you do not have Allow rules then ALL is blocked - all interfaces have default deny both ipv6 and Ipv4.. not allowed... Only things that are allowed are hidden like dhcp if you enable dhcp on that interface.. This is just common sense rules because most users are idiots ;) And if they enabled dhcp and it didn't work they would have a no clue how to create the firewall rules ;) I personally think they should be shown.. But that is another topic.
All interfaces will block traffic if not allowed... Not blocking IPv6 just removes that stupid rule :) Then as long as you don't allow it or you put in a block rule on your own.. And don't log then no iPv6 will be allowed or working..
But again - vs just not logging it at the the firewall doesn't remove the NOISE.. your just not logging it - still traffic on your network for no reason if your not using... Why should a client continue to bang its head asking for dhcpv6 if you don't have any dhcpv6 running. Why should it bother with LLMNR if nobody is using it?
Security 101 is do not enable protocols and services your not using. If your NOT using ipv6 - then why should it be enabled and why should it be sending out just craptastic amounts of noise? Turn it off at the client level if you have control of the clients and they allow for it. You could for sure run into some shitty iot device that doesn't allow you to disable something like ipv6.. But from that traffic I would guess windows boxes..
-
Thank you. Now there are no ipv6 logs.
-
Guys. There are two screenshots pointing to the same solution. One suggested by NogBadTheBad and second emammadov so i'm confused which one resolves seeing 1000000003 in firewall log?
My ipv6 is disabled in the general - network settings.
Should i just uncheck: "Log packets matched from default block rules in the ruleset" ???
-
If you disable IPv6 on the firewall you will see IPv6 from clients on the network hitting the lan interface.
If you don’t want to see IPv6 in the logs block them and set the rule not to log if you want to see the IPv4 default deny blocks.
Otherwise set don’t log the default deny.
-
@emammadov said in How to hide ipv6 entries in firewall logs?:
We don't use IPv6 in our network....
"You" don't use IPv6. Me neither. No one does actually.
But your systems, these days, started to use the default IPv6 for about everything - and if that doesn't work out, they fall back to IPv4.
-
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.
Ha.
Sad but (close to) true.
-
As far as Rango's question about the screenshots, they're the same. emammadov's shows more of the options on the same page, while nogbadthebad's shows just the relevant options for this case.
As far as this goes...
@stephenw10 said in How to hide ipv6 entries in firewall logs?:
@gertjan said in How to hide ipv6 entries in firewall logs?:
No one does actually.Ha.
Sad but (close to) true.I actually beg to differ on this. In mid-2016, Comcast (one of the largest ISPs in the US) saw about 30% of its internet-bound traffic using IPv6. They were expecting to reach 50% by the end of 2016 (no confirmation that they reached that number though) [source link]. I'm sure it's gone up over the past two years, especially as other services and sites are adopting IPv6.
Also, Google publishes statistics showing what percentage of traffic to its services uses IPv6. From the US, over 1/3 of traffic to Google services is over IPv6. Worldwide, it's been fluctuating between 23-25% depending on the day of the week. [source link]
So "no one uses IPv6" is very much false. It is a significant amount of traffic on the internet these days.
-
Users not understanding they are using doesn't really count if you ask me.. Yeah they default windows to prefer IPv6... And then they put in like 3 different methods to get IPv6 tunneled over IPv4..
Yeah this boost the numbers up of ipv6 traffic..
Name 1 service that requires IPv6 to connect to that is main stream - just 1!
There was hope with console games able to use IPv6 for their P2P play, etc.. Where is this? Really?
Yeah comcast deployed IPv6 -- I was on it, it was CRAP! if you ask me... I just used HE tunnel vs comcast rollout since ;) And my new ISP doesn't have it, nor do they list any plans on rolling it out.
You know where it has a foothold - and more than likely accounts for most of the traffic... Your smartphone!!! Billions of the devices.. So yeah it makes sense to give them IPv6 addresses.. Guess what sure dns and stuff like that, and sure some sites are available ipv4 and ipv6 so they hit the IPv6 address of the site. But quite often they have to run it through a gateway so can connect to a site/service that is only IPv4.
-
I agree, the figures don't lie..... but the stats may be misleading. For example what percentage of that is actual end users?
I was being partly facetious yet it still amazes me how few IPv6 tickets we see. Perhaps that is biased, folks who use v6 generally have a better understanding and are less likely to have issues?
Steve
-
@nogbadthebad Thanks guys for your help and input. All my clients pcs have ipv6 unchecked in their network cards so there is NO client with ipv6 broadcasting anything. From what i've read there are dns leaks via ipv6 so that's why.
I have went ahead and unchecked this: "Log packets matched from default block rules in the ruleset" and i no longer see ipv6 but that also turns off ipv4 logging right?
However i have ipv4 logging setup in all my rules and they do show up in the firewall log now. So i think everything is working right correct?
I just want to make sure i'm not missing some ipv4 logging by unchecking this option: "Log packets matched from default block rules in the ruleset"
I think i'm NOT missing anything as all rules have ipv4 log reporting checked. Is this correct setup? Just wanna makes sure as i start blocking ~500 host via snort with rule sets and i verified most of them via abuseipdb website.
It's funny most of them are from russia and repeated offenders. I also set it up so never unblock those host instead of time interval removal. Please let me know if this setup is correct or there is better setup to be setup?
Thank you in advance. -
Yes that does stop logging default IPv4 packets also which you probably do want to see.
If you uncheck the 'Allow IPv6' box then the system adds a firewall rule to block and log all IPv6 traffic and it's above the user rules in the ruleset. So you need to leave that box checked and then add your own user block IPv6 rules without logging enabled.
Steve
-
@stephenw10 Now i get it. I just enabled ipv6 in networking and logging in firewall settings and created rules to block ipv6 totally without any logging. Now logs look much better. Those logs are great learning tool. Thank you kindly ALL for clarification.