Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.1 uPnP + rules not working

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    22 Posts 5 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rock.theory
      last edited by

      Yes, strange behavior…

      
$ pfctl -vvsr
@0 scrub on xl0 all fragment reassemble
  [ Evaluations: 347       Packets: 132       Bytes: 12903       States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@1 scrub on fxp0 all fragment reassemble
  [ Evaluations: 215       Packets: 215       Bytes: 40489       States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@2 scrub on fxp0_vlan2 all fragment reassemble
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@0 anchor "relayd/*" all
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@1 anchor "openvpn/*" all
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@2 anchor "ipsec/*" all
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@3 block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@4 block drop out log inet all label "Default deny rule IPv4"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@5 block drop in log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@6 block drop out log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@26 block drop quick inet proto tcp from any port = 0 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@27 block drop quick inet proto tcp from any to any port = 0
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@28 block drop quick inet proto udp from any port = 0 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@29 block drop quick inet proto udp from any to any port = 0
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@30 block drop quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@31 block drop quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@32 block drop quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@33 block drop quick inet6 proto udp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@34 block drop in inet6 all label "Default Deny ipv6 rule"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@35 block drop out inet6 all label "Default Deny ipv6 rule"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@36 block drop quick from <snort2c:0>to any label "Block snort2c hosts"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@37 block drop quick from any to <snort2c:0>label "Block snort2c hosts"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@38 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@39 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = https label "webConfiguratorlockout"
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@40 block drop in quick from <virusprot:0>to any label "virusprot overload table"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@41 block drop in log quick on xl0 from <bogons:11>to any label "block bogon IPv4 networks from WAN"
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@42 block drop in log quick on xl0 from <bogonsv6:0>to any label "block bogon IPv6 networks from WAN"
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@43 block drop in on ! xl0 inet from 69.114.168.0/21 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@44 block drop in inet from 69.114.172.72 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@45 block drop in on xl0 inet6 from fe80::201:3ff:fec4:f3d1 to any
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@46 block drop in log quick on xl0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  [ Evaluations: 2         Packets: 2         Bytes: 656         States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@47 block drop in log quick on xl0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@48 block drop in log quick on xl0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@49 block drop in log quick on xl0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@50 block drop in log quick on xl0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@51 block drop in log quick on xl0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@52 pass in on xl0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@53 pass out on xl0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@54 block drop in on ! fxp0 inet from 192.168.1.0/24 to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@55 block drop in inet from 192.168.1.1 to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@56 block drop in on fxp0 inet6 from fe80::207:e9ff:fee2:eedc to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@57 pass in quick on fxp0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@58 pass in quick on fxp0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@59 pass out quick on fxp0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@60 block drop in on ! fxp0_vlan2 inet from 192.168.2.0/24 to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@61 block drop in inet from 192.168.2.1 to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@62 block drop in on fxp0_vlan2 inet6 from fe80::201:3ff:fec4:f3d1 to any
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@63 pass in quick on fxp0_vlan2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@64 pass in quick on fxp0_vlan2 inet proto udp from any port = bootpc to 192.168.2.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@65 pass out quick on fxp0_vlan2 inet proto udp from 192.168.2.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@66 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@67 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@68 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@69 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@70 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 19        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@71 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@72 pass out route-to (xl0 69.114.168.1) inet from 69.114.172.72 to ! 69.114.168.0/21 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@73 pass in quick on fxp0 proto tcp from any to (fxp0:2) port = https flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 19        Packets: 13        Bytes: 1139        States: 1     ]
  [ Inserted: uid 0 pid 49460 ]
@74 pass in quick on fxp0 proto tcp from any to (fxp0:2) port = http flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@75 pass in on xl0 inet proto tcp from any to 69.114.172.72 port = pptp flags S/SA modulate state label "allow pptpd 69.114.172.72"
  [ Evaluations: 11        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@76 pass in on xl0 proto gre all keep state label "allow gre pptpd"
  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@77 anchor "userrules/*" all
  [ Evaluations: 18        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@78 block drop in quick on fxp0 inet all label "USER_RULE: BLOCK ALL"
  [ Evaluations: 18        Packets: 18        Bytes: 1493        States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@79 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.0/24 label "USER_RULE: Block VLAN2-LAN"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@80 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.140/30 label "USER_RULE: Block VLAN2-PPTP"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@81 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.144/30 label "USER_RULE: Block VLAN2-PPTP"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@82 block drop in quick on fxp0_vlan2 inet from 192.168.2.0/24 to 192.168.1.148/31 label "USER_RULE: Block VLAN2-PPTP"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@83 anchor "tftp-proxy/*" all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@84 anchor "miniupnpd" all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]

$ pfctl -vvsn
@0 no nat proto carp all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@1 nat-anchor "natearly/*" all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@2 nat-anchor "natrules/*" all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@3 nat on xl0 inet from <tonatsubnets:7>port = isakmp to any port = isakmp -> 69.114.172.72 port 500
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@4 nat on xl0 inet from <tonatsubnets:7>to any -> 69.114.172.72 port 1024:65535
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@0 no rdr proto carp all
  [ Evaluations: 52        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@1 rdr-anchor "relayd/*" all
  [ Evaluations: 52        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@2 rdr-anchor "tftp-proxy/*" all
  [ Evaluations: 52        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]
@3 rdr-anchor "miniupnpd" all
  [ Evaluations: 52        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 49460 ]</tonatsubnets:7></tonatsubnets:7></bogonsv6:0></bogons:11></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>

      I'm not sure where to look for IPv6 (since I do not use IPv6) other than:
      Under Status -> uPnP & NAT-PMP Status it shows IPv4 addresses:

      
3074 keep state	 udp	 192.168.1.50	 Xbox (192.168.1.50:3074) 3074 UDP
44164 keep state	 tcp	 192.168.1.40	 Spotify

      edit:
      I went into settings and manually disabled IPv6, tested with my "BLOCK ALL" rule active, all other rules off, and yet uPnP traffic still punches through.

      1 Reply Last reply Reply Quote 0
      • R
        rock.theory
        last edited by

        Any thoughts?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.