Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 and drop all rule

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 902 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      I have a very big ruleset for my WAN interface. The last rule is a drop all rule. This means: any protocol, any ip, any port filter with a drop action. The setup works well since years. But now I have the need to enable IPv6 (including forwarding). I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?

      GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @A Former User
        last edited by

        @thisisme said in IPv6 and drop all rule:

        I read that pfsense has some hidden IPv6 rules for ICMP. Will they work out with my drop all rule? Do I have to add (more) rules manually?

        Its worse. There also also hidden IPv4 rules.

        But, don't worry. The last hidden rules for IPv4 is the same for IPv6. It says "from whatever being whatever : drop".

        Btw, it's time to face reality.
        Answer all your question, and find answers to questions you didn't even find yet, by looking at /tmp/rules.debug

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        JKnottJ ? 2 Replies Last reply Reply Quote 1
        • JKnottJ
          JKnott @Gertjan
          last edited by

          @gertjan said in IPv6 and drop all rule:

          Its worse. There also also hidden IPv4 rules.

          Is there a list of all these hidden rules somewhere?

          Or would that mean they're no longer hidden? 😉

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User @Gertjan
            last edited by A Former User

            @gertjan Thanks I'll have a look in the file. May you answer me one question anyway? How are the rules sorted? Will the hidden ICMP allow rules be placed before or after my custom rules?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @A Former User
              last edited by johnpoz

              @thisisme said in IPv6 and drop all rule:

              The last rule is a drop all rule

              This is the default on any interface - there is no need for a drop at the end of rule list, because that is what happens to any traffic that is not allowed.

              The only reason you would want/need a drop rule at the end of your rule list is to say not log traffic on that interface that is dropped, by setting your rule to not log.

              Or to say only log specific traffic like syn or specifics you set, and you have turned off log the default block. This is what I do on my wan, I have disabled logging of the default rule. And have a rules at the end of my wan list to log only SYN tcp traffic, and common ports on udp.

              rules.png

              To view the full set of rules.
              https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

              Yes there are some rules that are hidden - mostly to keep users from shooting themselves in the foot. And to also make sure things work that require specifics the user might turn on, but not understand to need to create a rule or from the user creating a rule that might block something that is required for basic functionality. Biggest example of this is when you enable dhcp server on an interface, the rules needed for dhcp to function are enabled, but not shown in the interface rule list. Another off the top is the rule that allows traffic from pfsense itself out.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                How can I see the default blocke rule? I used pfctl -vvsr but can't find any rule for WAN.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @A Former User
                  last edited by johnpoz

                  @thisisme

                  [21.02.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep Default
                  block drop in inet all label "Default deny rule IPv4"
                  block drop out inet all label "Default deny rule IPv4"
                  block drop in inet6 all label "Default deny rule IPv6"
                  block drop out inet6 all label "Default deny rule IPv6"
                  

                  Default deny is on ALL interfaces..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  ? 1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User @johnpoz
                    last edited by A Former User

                    @johnpoz Thank you. I was searching for an interface specific rule. Now I see them too

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.