Block all IPv6 without logging and without bogonsv6 table



  • In System, Advanced, Networking there is a checkbox for "Allow IPv6". If this is checked, then just the ordinary default deny rule for IPv6 happens at the end of all other rule processing, so (as it says) you can put in allow rules wherever you like for IPv6. With this checked you also get the bogonsv6 table, which is huge and on low memory systems it makes a significant difference in memory use.
    So, on (low-memory) systems that have no IPv6 yet, I uncheck "Allow IPv6". Good - no bogonsv6 table added to pf, no memory wasted.
    But this also puts a "quick" rule to block IPv6 at the front of rule processing, and the "quick" rule has the "log" option.
    I tried putting a normal "block IPv6 all nolog" rule on LAN, but the "quick" rule gets processed first. So the firewall log gets lots of rubbish from random client systems on the LAN that have IPv6 on/enabled by default and are trying to find a DHCPv6 server, broadcasting themselves…
    I want to achieve:

    • no bogonsv6 table; and
    • block all IPv6 without logging
      but I can't see how that can be done with the current GUI combinations.

    There are 3 ways this could be made flexible:
    a) Add a "Do not log" checkbox along with the "Allow IPv6" checkbox, when the user unchecks "Allow IPv6", they can choose "Do not log" if they wish, or;
    b) Make the use of bogonsv6 a separate checkbox "Do not use IPv6 bogons", so users can choose not to use bogonsv6, while still enabling "Allow IPv6". Then I could "Allow IPv6", "Do not use IPv6 bogons" and manually put silent drop rules on my interfaces to throw away IPv6 rubbish without logging it. or;
    c) On each interface, have 2 bogon networks checkboxes - "Block IPv4 Bogon Networks" and "Block IPv6 Bogon Networks". Make the code respect these. Only include the bogonsv6 table in pf if at least 1 "Block IPv6 Bogon Networks" is checked. Then the user can control which interfaces have which IPv4/IPv6 bogon tables applied. Then I could "Allow IPv6", do not "Block IPv6 Bogon Networks" on any interface (and thus not have a bogonsv6 table using memory in pf), and put my own silent IPv6 drop rules wherever I like.

    Do any of the above seem a reasonable thing to do? If so, which?

    I can code it, but is there still a chance that an enhancement like one of the above could be included in 2.1?
    (It will change the UI somewhere!)


  • Banned

    I got kinda lost in your post… What I did with recent snaps:

    1/

    2/ Install pfBlocker.

    3/ Add custom lists (alias only) for IPv4 and IPv6 bogons.

    4/ Use those as you wish per interface…

    So, for me - integrating a stripped down pfBlocker version (without the no longer free and thus pretty much useless Top Spammers thing, and without the GeoIP clutter) would make most sense with minimal coding required.



  • Some time ago, I submitted code so that, when "Allow IPv6" is off, the system does not bother loading the bogonsv6 table. This saves me some memory on my Alix systems. So I want to turn off "Allow IPv6". But that also puts in the "IPv6 quick drop log" rules, which I don't want the "log". Having both switches together in the one checkbox is not quite perfect for my use case.
    Even with the pfBlocker solution, I want to uncheck "Allow IPv6" also, and that will cause the "quick log" rules which will see the packets before pfBlocker, drop and log them.



  • It is possible with the current code!
    Turn off "Allow IPv6"
    Turn off System Logs, Settings, "Log packets blocked by the default rule"
    Now, both the default deny rules (for IPv4 and Ipv6) and the "quick block IPv6" rules do not log.
    Add user rules for any IPv4 that you want to block and log (because the default IPv4 block rule now does not log).

    Now I get:
    a) No bogonsv6 table using up memory
    b) All IPv6 blocked without logging anything
    c) Manual logging of whatever IPv4 blocks I choose

    Meets my requirements.


  • Banned

    Yeah, the bogonsv6 thing is insane for embedded systems. As for logging of IPv6 by default rules, some recent change (a couple of days ago) caused some more nonsensical logflood by logging link-local traffic on LAN. Why, goes beyond me. All LAN IPv6 traffic is permitted.