NOOB - Why IPv6 Alerts?

  • I have IPv6 turned off in pfSense. Why am I getting Snort alerts with IPv6 addresses? This isn't the first one. Probably 20% (if not more) of my alerts are IPv6.

    W/O digging through the (mostly unreadable) Snort documentation, my guess is that turning off IPv6 in pfSense doesn't keep outsiders from scanning my firewall with IPv6. Thus, Snort is either doing it's job - OR - it wouldn't go anywhere as I don't have V6 enabled.

    If there are OTHER possibilities, then those are the ones I'm asking about, as I'm sure they are more risky.


  • Galactic Empire

    The router will be seeing IPv6 from the end devices regardless of disabling IPv6.

  • Snort puts the interface it is running on in promiscuous mode, thus all traffic types and subnets hitting the wire are seen by Snort. That does not mean any corresponding plumbing exists on the network stack to handle the traffic. So IPv6 packets are hitting your physical wire interface from some endpoint device someplace, but that does not mean your firewall will respond to it in any manner. Snort will see the traffic and alert on it, though, because of the promiscuous mode setting.