8000::/1 from bogonsv6 blocks ipv6

qubit

Last month when I got IPv6 working there was a system bogon update, and I noticed that all IPv6 packets coming in from the WAN suddenly were being blocked and I eventually couldn't renew my IPv6 address. The firewall reported that the pf rule, drop from <bogonsv6>to any, was blocking everything from my Comcast IPv6 gateway, which is a link local address (fe80::/10).

A quick search through the bogonsv6 list (fullbogons-ipv6.txt) didn't show any link local addresses but it turns out the last entry, 8000::/1 is the culprit. This network's range is 8000:0000:0000:0000:0000:0000:0000:0000 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, which blocks any link local addresses. Removing this line from /etc/bogonsv6 and reloading pf allows IPv6 again. Excluding this network in rc.update_bogons.sh should fix this.</bogonsv6>

qubit

This seems to work for me:

diff --git a/etc/rc.update_bogons.sh b/etc/rc.update_bogons.sh
index ae85b0b..77daa00 100755
--- a/etc/rc.update_bogons.sh
+++ b/etc/rc.update_bogons.sh
@@ -119,7 +119,7 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
 		if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
 			ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'`
 			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
-				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
+				egrep -iv "^fc00::/7|^8000::/1" /tmp/bogonsv6 > /etc/bogonsv6
 				RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1`
 				echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger
 			else
@@ -127,7 +127,7 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS
 			fi
 		else
 			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
-				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
+				egrep -iv "^fc00::/7|^8000::/1" /tmp/bogonsv6 > /etc/bogonsv6
 				echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger
 			else
 				echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger

qubit

Actually that is a bad idea because that entire range contains reserved space and splitting it up to take out fe80::/10 would be sloppy.

From rules.debug:

block in log quick on $WAN from <bogons> to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
...
pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in WAN"
pass in quick on $WAN proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in WAN"
pass out quick on $WAN proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out WAN"</bogonsv6></bogons>

In filter.inc the drop bogon rules are generated above the rule to allow DHCPv6 in. Since fe80::/10 is in 8000::/1 the bogon rule is matched first, DHCPv6 traffic from fe80::/10 can never pass and IPv6 can't renew or bind if a user has updated the bogon rules.

doktornotor

This whole bogonsv6 idea seem to do more harm that good, starting from insane memory usage and ending with blocking legitimate traffic. How about dumping it altogether, huh?