IPv6 and drop all rule
-
I have a very big ruleset for my WAN interface. The last rule is a drop all rule. This means: any protocol, any ip, any port filter with a drop action. The setup works well since years. But now I have the need to enable IPv6 (including forwarding). I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?
-
@thisisme said in IPv6 and drop all rule:
I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?
Its worse. There also also hidden IPv4 rules.
But, don't worry. The last hidden rules for IPv4 is the same for IPv6. It says "from whatever being whatever : drop".
Btw, it's time to face reality.
Answer all your question, and find answers to questions you didn't even find yet, by looking at /tmp/rules.debug -
@gertjan said in IPv6 and drop all rule:
Its worse. There also also hidden IPv4 rules.
Is there a list of all these hidden rules somewhere?
Or would that mean they're no longer hidden?
-
@gertjan Thanks I'll have a look in the file. May you answer me one question anyway? How are the rules sorted? Will the hidden ICMP allow rules be placed before or after my custom rules?
-
@thisisme said in IPv6 and drop all rule:
The last rule is a drop all rule
This is the default on any interface - there is no need for a drop at the end of rule list, because that is what happens to any traffic that is not allowed.
The only reason you would want/need a drop rule at the end of your rule list is to say not log traffic on that interface that is dropped, by setting your rule to not log.
Or to say only log specific traffic like syn or specifics you set, and you have turned off log the default block. This is what I do on my wan, I have disabled logging of the default rule. And have a rules at the end of my wan list to log only SYN tcp traffic, and common ports on udp.
To view the full set of rules.
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.htmlYes there are some rules that are hidden - mostly to keep users from shooting themselves in the foot. And to also make sure things work that require specifics the user might turn on, but not understand to need to create a rule or from the user creating a rule that might block something that is required for basic functionality. Biggest example of this is when you enable dhcp server on an interface, the rules needed for dhcp to function are enabled, but not shown in the interface rule list. Another off the top is the rule that allows traffic from pfsense itself out.
-
How can I see the default blocke rule? I used pfctl -vvsr but can't find any rule for WAN.
-
@thisisme
[21.02.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep Default block drop in inet all label "Default deny rule IPv4" block drop out inet all label "Default deny rule IPv4" block drop in inet6 all label "Default deny rule IPv6" block drop out inet6 all label "Default deny rule IPv6"
Default deny is on ALL interfaces..
-
@johnpoz Thank you. I was searching for an interface specific rule. Now I see them too