Does pfBlockerNG work in pure ipv6 environment?
-
I am currently using the pfBlockerNG Dev vers. 2.2.5_19.
It can not tell if it is working on my ipv6 subnets. The Geoipv6 portion works, but I never see any the DNSBL entries coming from the ipv6 subnets in the logs. Also the autorule created only has ipv4. (see below).
I am in the process of eliminating my last ipv4 subnet moving to NAT64 and am not sure that I will be able to use pfBlockerNG.
-
All the DNSBL FQDNS point to a virtual IPv4 address, you'll never see any IPv6 traffic as the clients can only talk using IPv4.
mac-pro:~ andy$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether 00:3e:e1:c1:af:07
inet6 fe80::14ea:7c2e:685e:f6e2%en0 prefixlen 64 secured scopeid 0x6
inet 172.16.2.20 netmask 0xffffff00 broadcast 172.16.2.255
inet6 2a02:xxxx:xxxx:2::14 prefixlen 128 dynamic
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
status: active
mac-pro:~ andyk$mac-pro:~ andy$ host adservice.google.com
adservice.google.com has address 172.16.255.1
mac-pro:~ andy$ host e.crashlytics.com
e.crashlytics.com has address 172.16.255.1
mac-pro:~ andy$ host google.com
google.com has address 216.58.206.110
google.com has IPv6 address 2a00:1450:4009:810::200e
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
mac-pro:~ andy$
-
So it is effectively blocking ipv6 based ads by way of converting them into ipv4 addresses then.
But it will never show up in the logs then so no way to watch for false positives or whitelist.
-
The lookup against the FQDN will only ever return an IPv4 IP address, if the clients are dual stack it will try and connect to the IPv4 address.
Try doing a lookup against some of the FQDNS that it's blocking.
-
When I nslookup adservice.google.com I get:
Name: adservice.google.com
Address: 10.10.10.1So there is no AAAA record.
ping adservice.google.com gives me:
Ping request could not find host adservice.google.com. Please check the name and try againNothing ever shows in the pfBlockerNg logs though.
So probably not going to work very well in an ipv6 only environment.
My prior adblocker would always respond with both an A and an AAAA record for blocked sites.
-
@BBcan177 Maybe enable the ability for the web server to also run on IPv6 and add AAAA records.
@isaacfl said in Does pfBlockerNG work in pure ipv6 environment?:
When I nslookup adservice.google.com I get:
Name: adservice.google.com
Address: 10.10.10.1So there is no AAAA record.
ping adservice.google.com gives me:
Ping request could not find host adservice.google.com. Please check the name and try againNothing ever shows in the pfBlockerNg logs though.
So probably not going to work very well in an ipv6 only environment.
My prior adblocker would always respond with both an A and an AAAA record for blocked sites.
