pfBlockerNG not reporting V6 top spammers blocks

ltolbert

This is a minor item I discovered while testing GEOIP top spammers list. I am seeing firewall blocks reported by the V6 top spammer auto rule but do not see them in any pfBlockerNG reporting. Comparing /var/log/filter.log to the ipblock log shows what looks to be an error in translation. (see below). Working fine but not reporting as block on the widget or when searching in reports. Seems like the conversion of the inbound drop is being changed to an outbound drop. I am dropping inbound only. Looks to be V6 only as the V4 alias is reported correctly. It's entirely possible I'm mistaken in my analysis but can't see what option would lead to this situation. SG-1100 21.95.1 , pfBlockerNG 3.1.0

Example:
filter.log
Oct 21 15:38:33 pfSense2 filterlog[53321]: 150,,,1770003977,gif0,match,block,in,6,0x00,0x00000,240,TCP,6,24,240e:f7:4f01:c::3,2001:470:xxxx:xxxx:26a4:3cff:feb3:8c9d,10554,8443,0,S,1705502121,,29200,,mss

ipblock.log
15:38:33,1770003977,gif0,WANV6,block,6,6,TCP-,240e:f7:4f01:c::3,2001:470:xxxx:xxxx:26a4:3cff:feb3:8c9d,10554,8443,out,US,pfB_Top_v6,Unknown,Unknown,Unknown,Unknown,null,+

Gertjan

@ltolbert

Hi,

You have a mail server behind pfSense, right ?

ltolbert

@gertjan yes I do.

ltolbert

It would appear that pfBlockerNG doesn't think my IPV6 addresses are locally defined as
function pfb_local_ip($subnet, $pfb_localsub) is returning a false value when testing the destination IP causing the direction flag to be reversed. I found this occurs on multiple interfaces. I am still testing ways to further ID what's actually happening.

Gertjan

@ltolbert

Humm.
Before pfb_local_ip() is used, the function just below it, function pfb_collect_localip() is used to collect all 'local' IP's first.

Add :

$testarray = array($pfb_local, $pfb_localsub);
$returnarray = print_r($testarray,true);
pfb_logger("\nReturn STRING\n{$returnarray}\n", 1);

just before the last line (4494) :

	return array($pfb_local, $pfb_localsub);

}

and now do a full reload.

The array with local IP's will get printed. Only IPv4 ..... (except for a lonely "::10.10.10.1/128")

For example, line 4478 : only "ipaddr" is used, not "ipaddrv6", or an interface can have both.

ltolbert

@gertjan Thank you for the display code, yes only IPV4 addresses were returned, my issue is IPV6 only.

Gertjan

@ltolbert

Because the test here - line 4838- /usr/local/pkg/pfblockerng/pfblockerng.inc - always fails ( doesn't return true if an internally used IPv6 matches ).
The test never succeeds for IPv6 as there are no ipv6 listed.

That is : that's what I make of it.

ltolbert

@gertjan I agree. Seems that way to me also. Thanks for the debug code I was struggling with finding a way to display this data since I'm a novice at this. Just having fun learning.

ltolbert

This post is deleted!