Ipv6 rules still present after disabling



  • I just got a default installation going (2.1 snapshot, 64 bit). I thought for the moment at least to simplify by eliminating all ipv6 traffic, so I went to System>Advanced, Networking tab, and unchecked "Allow IPv6".

    Then I went to Firewall>Rules and found there was still a rule on LAN allowing IPv6, so the above had no effect on that apparently.

    I then disabled that rule, and went to the command prompt and ran "pfctl -sa". I was not too surprised to see the default deny rules for IPv6, but there were still a lot of "pass out quick inet6" in the list of rules. So I am getting the impression IPv6 cannot be disabled after all - or am I making some mistake here?



  • The pass out rules for v6 will still be there for the link-local (which is impossible to disable) but they're overridden by the deny all IPv6 option so that effectively gets rid of all v6.



  • Are you talking about the 'block drop in inet6 all label "Default Deny ipv6 rule" ', farther down in the rules? As I understand it, that cannot have any effect on the "quick" rules above, which are executed immediately. Perhaps I'm missing something, though.



  • no, that's the default deny. The block rule from system>advanced is higher in the ruleset, and higher yet after a commit I just made.


Log in to reply