Firewall rules for IPV6 track interface.

Bob.Dig · Aug 1, 2022, 7:35 PM

@bassopt So this looks ok.
I did a quick test from my vps and everything is closed here.

bassopt · Aug 1, 2022, 8:16 PM

Thanks! No idea why this happening…

bassopt · Aug 1, 2022, 9:12 PM

@bob-dig btw are you using pfsense+ or community? I’ll try to reinstall pfsense tomorrow and restore Di figs from a backup and see if anything changes.

bassopt · Aug 3, 2022, 2:21 PM

Any other input in this? I’ve reinstalled pfsense+ and pfsense community edition and problem still exists.

SteveITS · Aug 3, 2022, 2:42 PM

@bassopt said in Firewall rules for IPV6 track interface.:

ssh into the ipv6 address assigned to one of my docker VMs. And voilá… instant access

Are you connecting from another PC on your LAN? (which wouldn't go through the router...)

In theory you can add a rule on WAN to block all IPv6 but the default block rule should be blocking everything inbound.

bassopt · Aug 3, 2022, 3:18 PM

@steveits no. I’m accessing from a vps outside my lan. That’s why something doesn’t add up. I know I could add a firewall rule if I wanted to ssh into vm but I don’t. Still all my lan machines are completely exposed when the get a global address from pfsense with no passing rules whatsoever.

bassopt · Aug 3, 2022, 3:58 PM

Found the issue.

PFBlockerNG .... uninstalled it and problem is solved. No clue what it might be doing but whatever !!!

the other · Aug 3, 2022, 5:40 PM

@bassopt hey there, good to know you solved it.
Just out of interest, did you use pfblockerng at all, meaning, have you configured something regarding ip whitelists or geoIP?
Some existing floating rules might then have been the issue...
Just having pfblockerng installed without any settings active and aliase or rules created shouldn't cause that...
Or Am I wrong assuming that (*looking at the more experienced people here)
:)

SteveITS · Aug 3, 2022, 5:58 PM

@the-other pfBlocker can set up allow or block rules, or aliases, or DNSBL. By itself, without any configuration, it basically does nothing. Any rules it creates would normally be on the LAN and/or WAN rule pages.

the other · Aug 3, 2022, 7:29 PM

@steveits
Hey there and thanks for your reply.
That is what I thought.
So, there must have been some rule responsible for this issue. Since the Screenshots of wan and lan did not show any such rule, I figured there must have been other rules...
Just uninstalling pfblockerng solving the problem seems strange otherwise.
Just trying to understand this issue.