2.1 uPnP + rules not working
-
I have upgraded to the beta of pfSense 2.1 (pfSense-Full-Update-2.1-BETA0-i386-20121123-1854). I would like have my uPnP devices follow a rule, specifically one that allows modification of bandwidth usage, latency, packet-loss (i.e. using Traffic Shaper's "Limiter"). The rule is correctly applied to a specific IP however this does not work for a uPnP device. I have tested and my rule works correctly on any other non-uPnP device. Is there perhaps a fix on the way?
-
http://redmine.pfsense.org/issues/1575
no plan to fix that for 2.1, too rare of a use case and one that companies don't care about hence not likely anyone is going to fund it.
-
I wonder how much $$ it would take to get it fixed?
-
What is the suggested donation to get this pushed? I have a lot of testing I'd like to do using this feature.
-
That's a kernel project, which means it isn't easy and the people who can do the work don't come cheap. Talking upwards of $1000 USD. If that might be feasible I can get a more precise number.
-
Try 2.1 from tomorrow and see the comment in this thread http://redmine.pfsense.org/issues/1575
If it works for you that's a good thing otherwise it has to go through cmb suggestions.
Also, consider the donation if it works. -
Unfortunately it does not seem to work. I would love to be able to donate $1000 but as a freelance IT tech, I can't afford that (To be honest that's a lot more than I expected). I suppose I will have to have patience in this matter, and hope that it does get fixed.
-
Depending on the time required, 1k USD maybe be quickly reached if you count the fact that one would need dedicate a couple of hours to investigate before
implementing even a single line of code. :-\Is uPnP rather a home feature - maybe crowdfunding may be a good idea?
-
works for me for some reason
-
Probably he did not reset states when trying.
-
I have tried resetting states and still do not have any luck with limiters.
Should I be adding these rules as floating or as standard LAN? Perhaps I am missing something.
I've disabled every rule. No devices should have access to WAN. None do, other than the uPnP device, which does. This is undesired as uPnP devices are not following the rules.
-
i have the rules on floating tab and work just fine
-
on further test it shows the limiter is active but not limiting as expected, i have set a upload limit but at times i see the spike going over it so still cant say if it works perfectly so will need to test further
-
Any new results? For me the rules are not obeyed at all regarding a uPnP device.
I disabled every single rule on every tab, then actively blocked the IP of my uPnP device but it ignored everything and continued to stream data.
-
I don't mean to keep pushing this issue, but I do want to bring up the fact that the link http://redmine.pfsense.org/issues/1575 states this issue is resolved, however it is not.
uPnP completely ignores all rules regardless of which tab it is on. I don't know who needs to change that link back to 0%, but I'd sure like to be able to monitor the progress of it.
Thanks.
-
Can you show the configuration you have.
A rules.debug attaached here would be useful as well. -
set limit tables 3000 set optimization normal set limit states 47000 set limit src-nodes 47000 #System aliases loopback = "{ lo0 }" WAN = "{ xl0 }" LAN = "{ fxp0 }" VLAN2 = "{ fxp0_vlan2 }" pptp = "{ pptp }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort tables table <snort2c>table <virusprot># User Aliases table <computers>{ 192.168.1.30/31 192.168.1.32/28 192.168.1.48/31 } COMPUTERS = "<computers>" table <dhcp>{ 192.168.1.150/31 192.168.1.152/29 192.168.1.160/27 192.168.1.192/27 192.168.1.224/28 192.168.1.240/29 192.168.1.248/30 192.168.1.252/31 192.168.1.254/32 } DHCP = "<dhcp>" table <gamesys>{ 192.168.1.50/31 192.168.1.52/30 192.168.1.56/30 } GAMESYS = "<gamesys>" table <phonestablets>{ 192.168.1.60/30 192.168.1.64/28 } PHONESTABLETS = "<phonestablets>" table <pptp>{ 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 } PPTP = "<pptp>" table <printers>{ 192.168.1.20/30 192.168.1.24/30 192.168.1.28/31 } PRINTERS = "<printers>" table <servers>{ 192.168.1.10/31 192.168.1.12/30 192.168.1.16/30 } SERVERS = "<servers>" # Gateways GWWAN_DHCP = " route-to ( xl0 69.114.168.1 ) " set loginterface fxp0 set skip on pfsync0 scrub on $WAN all fragment reassemble scrub on $LAN all fragment reassemble scrub on $VLAN2 all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Subnets to NAT table <tonatsubnets>{ 192.168.1.0/24 192.168.2.0/24 192.168.1.140/32 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 127.0.0.0/8 } nat on $WAN from <tonatsubnets>port 500 to any port 500 -> 69.114.172.72/32 port 500 nat on $WAN from <tonatsubnets>to any -> 69.114.172.72/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <negate_networks>{} # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "openvpn/*" anchor "ipsec/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all label "Default deny rule IPv4" block out log inet all label "Default deny rule IPv4" block in log inet6 all label "Default deny rule IPv6" block out log inet6 all label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state # We use the mighty pf, we cannot be fooled. block quick inet proto { tcp, udp } from any port = 0 to any block quick inet proto { tcp, udp } from any to any port = 0 block quick inet6 proto { tcp, udp } from any port = 0 to any block quick inet6 proto { tcp, udp } from any to any port = 0 # Snort package block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" table <bogonsv6>persist file "/etc/bogonsv6" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN" block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN" antispoof for xl0 # block anything from private networks on interfaces with the option set antispoof for $WAN block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10" block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" # allow our DHCP client out to the WAN pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN" pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. antispoof for fxp0 # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server" pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server" antispoof for fxp0_vlan2 # allow access to DHCP server on VLAN2 pass in quick on $VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $VLAN2 proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server" pass out quick on $VLAN2 proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server" # loopback pass in on $loopback inet all label "pass IPv4 loopback" pass out on $loopback inet all label "pass IPv4 loopback" pass in on $loopback inet6 all label "pass IPv6 loopback" pass out on $loopback inet6 all label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to ( xl0 69.114.168.1 ) from 69.114.172.72 to !69.114.168.0/21 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on fxp0 proto tcp from any to (fxp0) port { 443 80 } keep state label "anti-lockout rule" # PPTPd rules pass in on $WAN proto tcp from any to 69.114.172.72 port = 1723 modulate state label "allow pptpd 69.114.172.72" pass in on $WAN proto gre from any to any keep state label "allow gre pptpd" # User-defined rules follow anchor "userrules/*" block in quick on $LAN inet from any to any label "USER_RULE: BLOCK ALL" block in quick on $VLAN2 from 192.168.2.1/24 to 192.168.1.0/24 label "USER_RULE: Block VLAN2-LAN" block in quick on $VLAN2 from 192.168.2.1/24 to { 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 } label "USER_RULE: Block VLAN2-PPTP" # Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients # VPN Rules anchor "tftp-proxy/*" # uPnPd anchor "miniupnpd"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></tonatsubnets></tonatsubnets></tonatsubnets></servers></servers></printers></printers></pptp></pptp></phonestablets></phonestablets></gamesys></gamesys></dhcp></dhcp></computers></computers></virusprot></snort2c></webconfiguratorlockout></sshlockout>If by configuration you mean what my active rules are (while testing for verification) then:
Floating: [Empty] WAN: * RFC 1918 networks * * * * * Block private networks * Reserved/not assigned by IANA * * * * * * Block bogon networks LAN: * * * LAN Address 443 80 * * Anti-Lockout Rule IPv4 * * * * * * none BLOCK ALL VLAN2: IPv4 * VLAN2 net * LAN net * * none Block VLAN2-LAN IPv4 * VLAN2 net * PPTP clients * * none Block VLAN2-PPTP PPTP VPN: [Empty]As you can see, aside anti-lockout the only rule enabled is "BLOCK ALL" on the LAN tab, and this does not interrupt a uPnP stream. Nothing else permits WAN access, but the uPnP stream continues without interruption.
-
Can you dump the content of the anchor miniupnpd with:
pfctl -a miniupnpd -vvsn
pfctl -a miniupnpd -vvsrMaybe uPNP daemon is creating rdr pass rules and that would be the only reason from what i see.
-
These are two examples of uPnP that happen within my home:
$ pfctl -a miniupnpd -vvsn @0 rdr quick on xl0 inet proto udp from any to any port = 3074 keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0 -> 192.168.1.50 port 3074 [ Evaluations: 31787 Packets: 79086 Bytes: 10132928 States: 0 ] [ Inserted: uid 0 pid 79384 ] @1 rdr quick on xl0 inet proto tcp from any to any port = 44164 keep state label "Spotify" rtable 0 -> 192.168.1.40 port 44164 [ Evaluations: 131 Packets: 1018 Bytes: 584381 States: 14 ] [ Inserted: uid 0 pid 79384 ] $ pfctl -a miniupnpd -vvsr @0 pass in quick on xl0 inet proto udp from any to any port = 3074 flags S/SA keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0 [ Evaluations: 29751 Packets: 79086 Bytes: 10132928 States: 0 ] [ Inserted: uid 0 pid 79384 ] @1 pass in quick on xl0 inet proto tcp from any to any port = 44164 flags S/SA keep state label "Spotify" rtable 0 [ Evaluations: 14 Packets: 966 Bytes: 581078 States: 14 ] [ Inserted: uid 0 pid 79384 ]We have 2 XBOX consoles, multiple Skype users (Skype is unlisted at the moment), and multiple Spotify users although (apparently) not much uPnP has been used since upgrading the firmware today.
-
Can you do a pfctl -vvsr and pfctl -vvsn it seems not possible for this to happen with current postings of rules!
Normally it shouldn't be possible for upnp to get to its port.
Can you check if upnp is going through ipv6? -
Yes, strange behavior…
$ pfctl -vvsr @0 scrub on xl0 all fragment reassemble [ Evaluations: 347 Packets: 132 Bytes: 12903 States: 0 ] [ Inserted: uid 0 pid 49460 ] @1 scrub on fxp0 all fragment reassemble [ Evaluations: 215 Packets: 215 Bytes: 40489 States: 0 ] [ Inserted: uid 0 pid 49460 ] @2 scrub on fxp0_vlan2 all fragment reassemble [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @0 anchor "relayd/*" all [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @1 anchor "openvpn/*" all [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @2 anchor "ipsec/*" all [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @3 block drop in log inet all label "Default deny rule IPv4" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @4 block drop out log inet all label "Default deny rule IPv4" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @5 block drop in log inet6 all label "Default deny rule IPv6" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @6 block drop out log inet6 all label "Default deny rule IPv6" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @26 block drop quick inet proto tcp from any port = 0 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @27 block drop quick inet proto tcp from any to any port = 0 [ Evaluations: 12 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @28 block drop quick inet proto udp from any port = 0 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @29 block drop quick inet proto udp from any to any port = 0 [ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @30 block drop quick inet6 proto tcp from any port = 0 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @31 block drop quick inet6 proto tcp from any to any port = 0 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @32 block drop quick inet6 proto udp from any port = 0 to any [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @33 block drop quick inet6 proto udp from any to any port = 0 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @34 block drop in inet6 all label "Default Deny ipv6 rule" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @35 block drop out inet6 all label "Default Deny ipv6 rule" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @36 block drop quick from <snort2c:0>to any label "Block snort2c hosts" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @37 block drop quick from any to <snort2c:0>label "Block snort2c hosts" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @38 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @39 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = https label "webConfiguratorlockout" [ Evaluations: 12 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @40 block drop in quick from <virusprot:0>to any label "virusprot overload table" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @41 block drop in log quick on xl0 from <bogons:11>to any label "block bogon IPv4 networks from WAN" [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @42 block drop in log quick on xl0 from <bogonsv6:0>to any label "block bogon IPv6 networks from WAN" [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @43 block drop in on ! xl0 inet from 69.114.168.0/21 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @44 block drop in inet from 69.114.172.72 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @45 block drop in on xl0 inet6 from fe80::201:3ff:fec4:f3d1 to any [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @46 block drop in log quick on xl0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" [ Evaluations: 2 Packets: 2 Bytes: 656 States: 0 ] [ Inserted: uid 0 pid 49460 ] @47 block drop in log quick on xl0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @48 block drop in log quick on xl0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @49 block drop in log quick on xl0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @50 block drop in log quick on xl0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @51 block drop in log quick on xl0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @52 pass in on xl0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @53 pass out on xl0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @54 block drop in on ! fxp0 inet from 192.168.1.0/24 to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @55 block drop in inet from 192.168.1.1 to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @56 block drop in on fxp0 inet6 from fe80::207:e9ff:fee2:eedc to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @57 pass in quick on fxp0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @58 pass in quick on fxp0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @59 pass out quick on fxp0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @60 block drop in on ! fxp0_vlan2 inet from 192.168.2.0/24 to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @61 block drop in inet from 192.168.2.1 to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @62 block drop in on fxp0_vlan2 inet6 from fe80::201:3ff:fec4:f3d1 to any [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @63 pass in quick on fxp0_vlan2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @64 pass in quick on fxp0_vlan2 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @65 pass out quick on fxp0_vlan2 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @66 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @67 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @68 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @69 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @70 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" [ Evaluations: 19 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @71 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @72 pass out route-to (xl0 69.114.168.1) inet from 69.114.172.72 to ! 69.114.168.0/21 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @73 pass in quick on fxp0 proto tcp from any to (fxp0:2) port = https flags S/SA keep state label "anti-lockout rule" [ Evaluations: 19 Packets: 13 Bytes: 1139 States: 1 ] [ Inserted: uid 0 pid 49460 ] @74 pass in quick on fxp0 proto tcp from any to (fxp0:2) port = http flags S/SA keep state label "anti-lockout rule" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @75 pass in on xl0 inet proto tcp from any to 69.114.172.72 port = pptp flags S/SA modulate state label "allow pptpd 69.114.172.72" [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @76 pass in on xl0 proto gre all keep state label "allow gre pptpd" [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @77 anchor "userrules/*" all [ Evaluations: 18 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @78 block drop in quick on fxp0 inet all label "USER_RULE: BLOCK ALL" [ Evaluations: 18 Packets: 18 Bytes: 1493 States: 0 ] [ Inserted: uid 0 pid 49460 ] @79 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.0/24 label "USER_RULE: Block VLAN2-LAN" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @80 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.140/30 label "USER_RULE: Block VLAN2-PPTP" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @81 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.144/30 label "USER_RULE: Block VLAN2-PPTP" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @82 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.148/31 label "USER_RULE: Block VLAN2-PPTP" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @83 anchor "tftp-proxy/*" all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @84 anchor "miniupnpd" all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] $ pfctl -vvsn @0 no nat proto carp all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @1 nat-anchor "natearly/*" all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @2 nat-anchor "natrules/*" all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @3 nat on xl0 inet from <tonatsubnets:7>port = isakmp to any port = isakmp -> 69.114.172.72 port 500 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @4 nat on xl0 inet from <tonatsubnets:7>to any -> 69.114.172.72 port 1024:65535 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @0 no rdr proto carp all [ Evaluations: 52 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @1 rdr-anchor "relayd/*" all [ Evaluations: 52 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @2 rdr-anchor "tftp-proxy/*" all [ Evaluations: 52 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ] @3 rdr-anchor "miniupnpd" all [ Evaluations: 52 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 49460 ]</tonatsubnets:7></tonatsubnets:7></bogonsv6:0></bogons:11></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>I'm not sure where to look for IPv6 (since I do not use IPv6) other than:
Under Status -> uPnP & NAT-PMP Status it shows IPv4 addresses:3074 keep state udp 192.168.1.50 Xbox (192.168.1.50:3074) 3074 UDP 44164 keep state tcp 192.168.1.40 Spotifyedit:
I went into settings and manually disabled IPv6, tested with my "BLOCK ALL" rule active, all other rules off, and yet uPnP traffic still punches through. -
Any thoughts?