Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPv6 and drop all rule

    Firewalling
    4
    8
    181
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thisisme last edited by

      I have a very big ruleset for my WAN interface. The last rule is a drop all rule. This means: any protocol, any ip, any port filter with a drop action. The setup works well since years. But now I have the need to enable IPv6 (including forwarding). I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?

      Gertjan johnpoz 2 Replies Last reply Reply Quote 0
      • Gertjan
        Gertjan @Thisisme last edited by

        @thisisme said in IPv6 and drop all rule:

        I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?

        Its worse. There also also hidden IPv4 rules.

        But, don't worry. The last hidden rules for IPv4 is the same for IPv6. It says "from whatever being whatever : drop".

        Btw, it's time to face reality.
        Answer all your question, and find answers to questions you didn't even find yet, by looking at /tmp/rules.debug

        No "help me" PM's please. Use the forum.

        JKnott T 2 Replies Last reply Reply Quote 1
        • JKnott
          JKnott @Gertjan last edited by

          @gertjan said in IPv6 and drop all rule:

          Its worse. There also also hidden IPv4 rules.

          Is there a list of all these hidden rules somewhere?

          Or would that mean they're no longer hidden? 😉

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • T
            Thisisme @Gertjan last edited by Thisisme

            @gertjan Thanks I'll have a look in the file. May you answer me one question anyway? How are the rules sorted? Will the hidden ICMP allow rules be placed before or after my custom rules?

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator @Thisisme last edited by johnpoz

              @thisisme said in IPv6 and drop all rule:

              The last rule is a drop all rule

              This is the default on any interface - there is no need for a drop at the end of rule list, because that is what happens to any traffic that is not allowed.

              The only reason you would want/need a drop rule at the end of your rule list is to say not log traffic on that interface that is dropped, by setting your rule to not log.

              Or to say only log specific traffic like syn or specifics you set, and you have turned off log the default block. This is what I do on my wan, I have disabled logging of the default rule. And have a rules at the end of my wan list to log only SYN tcp traffic, and common ports on udp.

              rules.png

              To view the full set of rules.
              https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

              Yes there are some rules that are hidden - mostly to keep users from shooting themselves in the foot. And to also make sure things work that require specifics the user might turn on, but not understand to need to create a rule or from the user creating a rule that might block something that is required for basic functionality. Biggest example of this is when you enable dhcp server on an interface, the rules needed for dhcp to function are enabled, but not shown in the interface rule list. Another off the top is the rule that allows traffic from pfsense itself out.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 22.05 | Lab VMs CE 2.6, 2.7

              1 Reply Last reply Reply Quote 0
              • T
                Thisisme last edited by

                How can I see the default blocke rule? I used pfctl -vvsr but can't find any rule for WAN.

                johnpoz 1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator @Thisisme last edited by johnpoz

                  @thisisme

                  [21.02.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep Default
block drop in inet all label "Default deny rule IPv4"
block drop out inet all label "Default deny rule IPv4"
block drop in inet6 all label "Default deny rule IPv6"
block drop out inet6 all label "Default deny rule IPv6"

                  Default deny is on ALL interfaces..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 22.05 | Lab VMs CE 2.6, 2.7

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    Thisisme @johnpoz last edited by Thisisme

                    @johnpoz Thank you. I was searching for an interface specific rule. Now I see them too

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post