System: Advanced: Networking - Allow IPv6



  • Could someone please detail the "System: Advanced: Networking - Allow IPv6" setting?

    For instance.  How is the blocking of IPv6 implemented when this setting is un-selected?  A firewall rule(s)?  Via FreeBSD network / driver config?  Etc.?

    If this setting is un-selected, how inclusive is “All IPv6 traffic will be blocked by the firewall”.  LAN to LAN?  WAN to LAN? LAN client to router LAN?  Etc?

    Thanks



  • By "quick" firewall rules. On a system with 1 LAN, 2 WAN and Allow IPv6 off:

    /root(3): pfctl -srules | grep inet6
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop in on vr1 inet6 from fe80::20d:b9ff:fe22:1fe9 to any
    block drop in on vr0 inet6 from fe80::20d:b9ff:fe22:1fe8 to any
    block drop in on vr2 inet6 from fe80::20d:b9ff:fe22:1fea to any
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    

    The top 2 lines make sure that no IPv6 packets will be processed by the bunch of rules below (which are the normal default IPv6 rules) - blocks any IPv6 in and out on any interface.
    Also, as of Mon Mar 25 15:43:22 EDT 2013 snapshot, the bogonsv6 table is not created when Allow IPv6 is off - there is no point having 72006 bogons-V6 table entries loaded when the whole of IPv6 is already blocked anyway.


Locked