IPv6 - Open Firewall… despite some rules, it cannot be closed...?!
-
Hi,
after Setting up IPv6 by 6to4 and German Telekom works for my subnets, I recognized that every IPv6 Address is directly reachable from the internet…
So, I tried to set up some rules (for the VDSL Trunk + for my three (Sub)-Networks) as that...:So, everything should be blocked. Later, I'd punch some holes in the firewall to access some IPv6 Clients ony by port 22 and so on…
But: It does not work! Even Those "dumb" reject all from everywhere what is IPv6 is not filtered at all... First I thought that are the lockout rules (22 + 80) which
are valid to pass at least Port 22 - but no, on another host nmap -6 found Port 53 open (and working) as well...[Edit]
The above happened even IPv6 Support was yet disabled in advanced config…:
Allow IPv6 All IPv6 traffic will be blocked by the firewall unless this box is checked. NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.
I thought enabling it, might give the possibility to make some "reject" firewall rules… but no.... The IPv6 part is totally open und absolutely unfiltered!
So, for now, I can only disable the IPv6 part in my PPPoE Settings, since the firewall renders itself totally useless.......
What's happening here?
Cheers,
4920441
-
Hmm, I remember a discussion about this over in the 2.1 forums. It ended with jimp pushing a fix for this IIRC.
Can you try to override that problem with a floating rule that has the Quick option set?
Could you post your rule set? It's in /tmp/rules.debug -
It would be interesting to confirm what is in /tmp/rules.debug - does it have lines about "block in drop quick inet6"? Those should be in there when IPv6 Allow in unchecked. I fully expect they will be (always have been when I looked recently)
It sounds like IPv6 packets arriving on VDSLTRUNK are not passing through pf at all. The special thing about this configuration is that the pppoe WAN is not given a public IPv6 by the ISP. The packets with global IPv6 source and destination addresses must be passed across the hop from ISP router to pfSense WAN interface in packets that use the link-local addresses assigned on either end of the pppoe interface.
Maybe it will turn out to be some issue with these link-local packets not being handed to pf for processing? -
You said you're using a 6to4 tunnel; if that's the case, are you sure you're using the correct interface for the rule? From your WAN interface's point of view, the IPv6 traffic is encapsulated in IPv4, so a rule like that wouldn't match (assuming VDSLTRUNK is in fact your WAN).
-
As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
http://forum.pfsense.org/index.php/topic,65123.0.html -
As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
http://forum.pfsense.org/index.php/topic,65123.0.htmlI got two German Telekom Lines, the newer one is really a dual stack capable access with "real" IPv6 Address beginning with 2003x:…
The other (older one), mentioned here is really a 6to4 tunnel which embeds the IPv4 Address in the IPv6 Address, configured like this...
So it makes perfectly sense that the IPv6 rule on my VDSLTRUNK Interface does not match, because at this Interface the IPv6 packets are encapsulated in IPv4…
What does not make sense is, that nothing is blocked even "Allow IPv6 traffic" wasn't checked in the advanced config tab.
What does not make sense, too, is that even If I deny any IPv6 Traffic from internal Lan to anywhere it is getting through, though....
Despite it is encapsulated in the VDSLTRUNK Interface it is not encapsulated yet in the LAN Interface Section - or is it?Here is my /tmp/rules.debug
The Interface I'd like to use is the VDSLTRUNK Interface. The Box gets another Interface named "FRITZ" which is connected to another Telekom Line with "real" IPv6 Dual Stack - so ignore that, i do ignore it as well...:-)[2.1-RC1][root@rotorouter-3.intra]/root(1): cat /tmp/rules.debug set limit tables 3000 set optimization normal set timeout { adaptive.start 0, adaptive.end 0 } set limit states 198000 set limit src-nodes 198000 #System aliases loopback = "{ lo0 }" VDSLTRUNK = "{ pppoe0 wan_stf }" FAMILYLAN = "{ bce0 }" SOFTCELLINTRA = "{ bce1_vlan10 }" SOFTCELLMAIL = "{ bce1_vlan20 }" SOFTCELLWEB = "{ bce1_vlan30 }" VLAN7_VDSLTRNK = "{ em0_vlan7 }" FRITZ = "{ vr0 }" OpenVPN = "{ openvpn }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort tables table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons" table <bogonsv6>persist file "/etc/bogonsv6" table <vpn_networks>{ 10.6.75.0/24 10.4.5.0/24 } table <negate_networks>{ 10.6.75.0/24 10.4.5.0/24 } # User Aliases # Gateways GWVDSLTRUNK_PPPOE = " route-to ( pppoe080.80.80.80 ) " GWFRITZ_DHCP = " route-to ( vr0 192.168.49.1 ) " GWVDSLTRUNK_6TO4 = " route-to ( wan_stf 2002:ccd8:d3d1:: ) " GWFRITZ_DHCP6 = " route-to ( vr0 fe80::c225:6ff:feaf:b255 ) " set loginterface bce0 set skip on pfsync0 scrub on $VDSLTRUNK all fragment reassemble scrub on $FAMILYLAN all fragment reassemble scrub on $SOFTCELLINTRA all fragment reassemble scrub on $SOFTCELLMAIL all fragment reassemble scrub on $SOFTCELLWEB all fragment reassemble scrub on $VLAN7_VDSLTRNK all fragment reassemble scrub on $FRITZ all fragment reassemble altq on bce1_vlan10 hfsc queue { qInternet } queue qInternet on bce1_vlan10 bandwidth 500000Kb hfsc ( ecn , linkshare 500000Kb , upperlimit 500000Kb ) { qACK, qP2P, qVoIP, qOthersHigh, qOthersLow } queue qACK on bce1_vlan10 bandwidth 17.994% hfsc ( ecn , linkshare 17.994% ) queue qP2P on bce1_vlan10 bandwidth 10% qlimit 500 hfsc ( ecn , default , linkshare 10% , upperlimit 10% ) queue qVoIP on bce1_vlan10 bandwidth 32Kb hfsc ( ecn , realtime 128Kb ) queue qOthersHigh on bce1_vlan10 bandwidth 8.997% hfsc ( ecn , linkshare 8.997% ) queue qOthersLow on bce1_vlan10 bandwidth 4.4985% hfsc ( ecn , linkshare 4.4985% ) altq on bce1_vlan20 hfsc queue { qInternet } queue qInternet on bce1_vlan20 bandwidth 500000Kb hfsc ( ecn , linkshare 500000Kb , upperlimit 500000Kb ) { qACK, qP2P, qVoIP, qOthersHigh, qOthersLow } queue qACK on bce1_vlan20 bandwidth 17.994% hfsc ( ecn , linkshare 17.994% ) queue qP2P on bce1_vlan20 bandwidth 10% qlimit 500 hfsc ( ecn , default , linkshare 10% , upperlimit 10% ) queue qVoIP on bce1_vlan20 bandwidth 32Kb hfsc ( ecn , realtime 128Kb ) queue qOthersHigh on bce1_vlan20 bandwidth 8.997% hfsc ( ecn , linkshare 8.997% ) queue qOthersLow on bce1_vlan20 bandwidth 4.4985% hfsc ( ecn , linkshare 4.4985% ) altq on bce1_vlan30 hfsc queue { qInternet } queue qInternet on bce1_vlan30 bandwidth 500000Kb hfsc ( ecn , linkshare 500000Kb , upperlimit 500000Kb ) { qACK, qP2P, qVoIP, qOthersHigh, qOthersLow } queue qACK on bce1_vlan30 bandwidth 17.994% hfsc ( ecn , linkshare 17.994% ) queue qP2P on bce1_vlan30 bandwidth 10% qlimit 500 hfsc ( ecn , default , linkshare 10% , upperlimit 10% ) queue qVoIP on bce1_vlan30 bandwidth 32Kb hfsc ( ecn , realtime 128Kb ) queue qOthersHigh on bce1_vlan30 bandwidth 8.997% hfsc ( ecn , linkshare 8.997% ) queue qOthersLow on bce1_vlan30 bandwidth 4.4985% hfsc ( ecn , linkshare 4.4985% ) altq on vr0 hfsc queue { qInternet } queue qInternet on vr0 bandwidth 500000Kb hfsc ( ecn , linkshare 500000Kb , upperlimit 500000Kb ) { qACK, qP2P, qVoIP, qOthersHigh, qOthersLow } queue qACK on vr0 bandwidth 17.994% hfsc ( ecn , linkshare 17.994% ) queue qP2P on vr0 bandwidth 10% qlimit 500 hfsc ( ecn , default , linkshare 10% , upperlimit 10% ) queue qVoIP on vr0 bandwidth 32Kb hfsc ( ecn , realtime 128Kb ) queue qOthersHigh on vr0 bandwidth 8.997% hfsc ( ecn , linkshare 8.997% ) queue qOthersLow on vr0 bandwidth 4.4985% hfsc ( ecn , linkshare 4.4985% ) altq on pppoe0 hfsc bandwidth 10000Kb queue { qACK, qOthersDefault, qP2P, qVoIP, qOthersHigh, qOthersLow } queue qACK on pppoe0 bandwidth 17.938% hfsc ( ecn , linkshare 17.938% ) queue qOthersDefault on pppoe0 bandwidth 8.969% hfsc ( ecn ) queue qP2P on pppoe0 bandwidth 10% hfsc ( ecn , default , linkshare 10% , upperlimit 10% ) queue qVoIP on pppoe0 bandwidth 32Kb hfsc ( ecn , realtime 128Kb ) queue qOthersHigh on pppoe0 bandwidth 8.969% hfsc ( ecn , linkshare 8.969% ) queue qOthersLow on pppoe0 bandwidth 4.4845% hfsc ( ecn , linkshare 4.4845% ) no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $VDSLTRUNK from 192.168.128.0/24 to any port 500 -> 90.90.90.90/32 static-port nat on $VDSLTRUNK from 192.168.128.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 192.168.64.0/24 to any port 500 -> 90.90.90.90/32 static-port nat on $VDSLTRUNK from 192.168.64.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 192.168.65.0/24 to any port 500 -> 90.90.90.90/32 static-port nat on $VDSLTRUNK from 192.168.65.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 192.168.66.0/24 to any port 500 -> 90.90.90.90/32 static-port nat on $VDSLTRUNK from 192.168.66.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $VDSLTRUNK from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535 nat on $FRITZ from any to any -> 192.168.49.29/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "openvpn/*" anchor "ipsec/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all label "Default deny rule IPv4" block out log inet all label "Default deny rule IPv4" block in log inet6 all label "Default deny rule IPv6" block out log inet6 all label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state # We use the mighty pf, we cannot be fooled. block quick inet proto { tcp, udp } from any port = 0 to any block quick inet proto { tcp, udp } from any to any port = 0 block quick inet6 proto { tcp, udp } from any port = 0 to any block quick inet6 proto { tcp, udp } from any to any port = 0 # Snort package block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $VDSLTRUNK from <bogons>to any label "block bogon IPv4 networks from VDSLTRUNK" block in log quick on $VDSLTRUNK from <bogonsv6>to any label "block bogon IPv6 networks from VDSLTRUNK" antispoof for pppoe0 # block anything from private networks on interfaces with the option set antispoof for $VDSLTRUNK block in log quick on $VDSLTRUNK from 10.0.0.0/8 to any label "Block private networks from VDSLTRUNK block 10/8" block in log quick on $VDSLTRUNK from 127.0.0.0/8 to any label "Block private networks from VDSLTRUNK block 127/8" block in log quick on $VDSLTRUNK from 100.64.0.0/10 to any label "Block private networks from VDSLTRUNK block 100.64/10" block in log quick on $VDSLTRUNK from 172.16.0.0/12 to any label "Block private networks from VDSLTRUNK block 172.16/12" block in log quick on $VDSLTRUNK from 192.168.0.0/16 to any label "Block private networks from VDSLTRUNK block 192.168/16" block in log quick on $VDSLTRUNK from fc00::/7 to any label "Block ULA networks from VDSLTRUNK block fc00::/7" # allow our proto 41 traffic from the 6to4 border relay in pass in on $VDSLTRUNK proto 41 from any to 90.90.90.90 label "Allow 6in4 traffic in for 6to4 on VDSLTRUNK" pass out on $VDSLTRUNK proto 41 from 90.90.90.90 to any label "Allow 6in4 traffic out for 6to4 on VDSLTRUNK" pass in on $VDSLTRUNK inet6 from any to 2002:5555:ffff::/16 label "Allow 6in4 traffic in for 6to4 on VDSLTRUNK" pass out on $VDSLTRUNK inet6 from 2002:5555:ffff::/16 to any label "Allow 6in4 traffic out for 6to4 on VDSLTRUNK" antispoof for bce0 # allow access to DHCP server on FAMILYLAN pass in quick on $FAMILYLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $FAMILYLAN proto udp from any port = 68 to 192.168.128.254 port = 67 label "allow access to DHCP server" pass out quick on $FAMILYLAN proto udp from 192.168.128.254 port = 67 to any port = 68 label "allow access to DHCP server" # allow access to DHCPv6 server on FAMILYLAN # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server" pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server" pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server" pass quick on $FAMILYLAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server" pass in quick on $FAMILYLAN inet6 proto udp from fe80::/10 to 2002:ff11:2ff1:234::1 port = 546 label "allow access to DHCPv6 server" pass out quick on $FAMILYLAN inet6 proto udp from 2002:5555:ffff:128::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server" antispoof for bce1_vlan10 # allow access to DHCP server on SOFTCELLINTRA pass in quick on $SOFTCELLINTRA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $SOFTCELLINTRA proto udp from any port = 68 to 192.168.64.254 port = 67 label "allow access to DHCP server" pass out quick on $SOFTCELLINTRA proto udp from 192.168.64.254 port = 67 to any port = 68 label "allow access to DHCP server" # allow access to DHCPv6 server on SOFTCELLINTRA # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server" pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server" pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server" pass quick on $SOFTCELLINTRA inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server" pass in quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to 2002:0000:0000:64::1 port = 546 label "allow access to DHCPv6 server" pass out quick on $SOFTCELLINTRA inet6 proto udp from 2002:5555:ffff:64::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server" antispoof for bce1_vlan20 # allow access to DHCPv6 server on SOFTCELLMAIL # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server" pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server" pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server" pass quick on $SOFTCELLMAIL inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server" pass in quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to 2002:000:000::1 port = 546 label "allow access to DHCPv6 server" pass out quick on $SOFTCELLMAIL inet6 proto udp from 2002:5555:ffff::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server" antispoof for bce1_vlan30 antispoof for vr0 # allow our DHCP client out to the FRITZ pass in on $FRITZ proto udp from any port = 67 to any port = 68 label "allow dhcp client out FRITZ" pass out on $FRITZ proto udp from any port = 68 to any port = 67 label "allow dhcp client out FRITZ" # Not installing DHCP server firewall rules for FRITZ which is configured for DHCP. # allow our DHCPv6 client out to the FRITZ pass in quick on $FRITZ proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in FRITZ" pass in quick on $FRITZ proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in FRITZ" pass out quick on $FRITZ proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out FRITZ" # loopback pass in on $loopback inet all label "pass IPv4 loopback" pass out on $loopback inet all label "pass IPv4 loopback" pass in on $loopback inet6 all label "pass IPv6 loopback" pass out on $loopback inet6 all label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to ( pppoe080.80.80.80 ) from 90.90.90.90 to !90.90.90.90/32 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( wan_stf 2002:0000:0000:: ) inet6 from 2002:0000:0000:: to !2002:0000:000::/48 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( vr0 192.168.49.1 ) from 192.168.49.29 to !192.168.49.0/24 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( vr0 fe80::c225:6cf:ceaf:cccc ) inet6 from 2003:57:ccc7:6ff0:ff0:ffff:ff54:3454 to !2003:57:ccc7:6ff0:ff0:ffff:ff54:3454/64 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on bce0 proto tcp from any to (bce0) port { 80 22 } keep state label "anti-lockout rule" # User-defined rules follow anchor "userrules/*" match on { pppoe0 } proto udp from any to any queue (qVoIP) label "USER_RULE: DiffServ/Lowdelay/Upload" match on { pppoe0 } proto tcp from any to any port 3389 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other MSRDP outbound" match on { pppoe0 } proto tcp from any to any port 5899 >< 5931 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other VNC outbound" match on { pppoe0 } proto tcp from any to any port 3283 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop1 outbound" match on { pppoe0 } proto tcp from any to any port 5900 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop2 outbound" match on { pppoe0 } proto udp from any to any port 3283 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop3 outbound" match on { pppoe0 } proto udp from any to any port 5900 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop4 outbound" match on { pppoe0 } proto tcp from any to any port 5631 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other pcany1 outbound" match on { pppoe0 } proto udp from any to any port 5632 queue (qOthersDefault) label "USER_RULE: m_Other pcany2 outbound" match on { pppoe0 } proto tcp from any to any port 6666 >< 6671 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match on { pppoe0 } proto tcp from any to any port 5222 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match on { pppoe0 } proto tcp from any to any port 5223 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match on { pppoe0 } proto tcp from any to any port 5269 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other IRC outbound" match on { pppoe0 } proto tcp from any to any port 5190 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other ICQ1 outbound" match on { pppoe0 } proto udp from any to any port 5190 queue (qOthersDefault) label "USER_RULE: m_Other ICQ2 outbound" match on { pppoe0 } proto tcp from any to any port 5190 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other AIM outbound" match on { pppoe0 } proto tcp from any to any port 1863 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN1 outbound" match on { pppoe0 } proto tcp from any to any port 6890 >< 6901 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN2 outbound" match on { pppoe0 } proto tcp from any to any port 6901 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other MSN3 outbound" match on { pppoe0 } proto udp from any to any port 6901 queue (qOthersDefault) label "USER_RULE: m_Other MSN4 outbound" match on { pppoe0 } proto tcp from any to any port 14534 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other teamspeak1 outbound" match on { pppoe0 } proto tcp from any to any port 51234 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other teamspeak2 outbound" match on { pppoe0 } proto udp from any to any port 8766 >< 8769 queue (qOthersHigh) label "USER_RULE: m_Other teamspeak3 outbound" match on { pppoe0 } proto tcp from any to any port 1723 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other PPTP outbound" match on { pppoe0 } proto gre from any to any queue (qOthersDefault) label "USER_RULE: m_Other PPTPGRE outbound" match on { pppoe0 } proto udp from any to any port 500 queue (qOthersDefault) label "USER_RULE: m_Other IPSEC outbound" match on { pppoe0 } proto ah from any to any queue (qOthersDefault) label "USER_RULE: m_Other IPSEC outbound" match on { pppoe0 } proto esp from any to any queue (qOthersDefault) label "USER_RULE: m_Other IPSEC outbound" match on { pppoe0 } proto tcp from any to any port 7999 >< 8101 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other STREAMINGMP3 outbound" match on { pppoe0 } proto tcp from any to any port 554 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other RTSP1 outbound" match on { pppoe0 } proto tcp from any to any port 80 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other HTTP outbound" match on { pppoe0 } proto tcp from any to any port 443 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other HTTPS outbound" match on { pppoe0 } proto tcp from any to any port 25 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMTP outbound" match on { pppoe0 } proto tcp from any to any port 110 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other POP3 outbound" match on { pppoe0 } proto tcp from any to any port 143 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other IMAP outbound" match on { pppoe0 } proto tcp from any to any port 1352 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other LotusNotes1 outbound" match on { pppoe0 } proto udp from any to any port 1352 queue (qOthersDefault) label "USER_RULE: m_Other LotusNotes2 outbound" match on { pppoe0 } proto tcp from any to any port 53 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other DNS1 outbound" match on { pppoe0 } proto udp from any to any port 53 queue (qOthersHigh) label "USER_RULE: m_Other DNS2 outbound" match on { pppoe0 } proto icmp from any to any queue (qOthersHigh) label "USER_RULE: m_Other ICMP outbound" match on { pppoe0 } proto tcp from any to any port 445 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMB1 outbound" match on { pppoe0 } proto tcp from any to any port 136 >< 140 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other SMB2 outbound" match on { pppoe0 } proto tcp from any to any port 161 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other SNMP outbound" match on { pppoe0 } proto udp from any to any port 161 queue (qOthersDefault) label "USER_RULE: m_Other SNMP2 outbound" match on { pppoe0 } proto tcp from any to any port 3306 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other MySQL1 outbound" match on { pppoe0 } proto tcp from any to any port 119 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other NNTP1 outbound" match on { pppoe0 } proto udp from any to any port 119 queue (qOthersHigh) label "USER_RULE: m_Other NNTP2 outbound" match on { pppoe0 } proto tcp from any to any port 5999 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other cvsup outbound" match on { pppoe0 } proto tcp from any to any port 5001 flags S/SA queue (qOthersDefault,qACK) label "USER_RULE: m_Other Slingbox1 outbound" match on { pppoe0 } proto udp from any to any port 5001 queue (qOthersDefault) label "USER_RULE: m_Other Slingbox2 outbound" match on { pppoe0 } proto tcp from any to any port 3000 flags S/SA queue (qOthersHigh,qACK) label "USER_RULE: m_Other HBCI outbound" pass in quick on $OpenVPN from any to any label "USER_RULE: OpenVPN wizard" pass in quick on $VDSLTRUNK reply-to ( pppoe080.80.80.80 ) proto tcp from any to 192.168.64.117 port 993 flags S/SA keep state label "USER_RULE: NAT IMAP to softcell.shacknet.nu -.intra" pass in quick on $VDSLTRUNK reply-to ( pppoe080.80.80.80 ) proto udp from any to 90.90.90.90 port 1195 keep state label "USER_RULE: OpenVPN wizard" pass in quick on $VDSLTRUNK reply-to ( pppoe080.80.80.80 ) proto udp from any to 90.90.90.90 port 1194 keep state label "USER_RULE: OpenVPN wizard" pass in quick on $VDSLTRUNK reply-to ( pppoe080.80.80.80 ) proto tcp from any to 192.168.64.117 port 25 flags S/SA keep state label "USER_RULE: NAT smtp to mailserver softcell.shacknet.nu" block return in quick on $VDSLTRUNK reply-to ( wan_stf 2002:0000:0000:: ) inet6 from any to 2002:xxxx:xxxe:64:ea40:x2xf:fx0x:ef24 label "USER_RULE: Block incoming IPv6" block return in quick on $FAMILYLAN inet6 from any to any label "USER_RULE: Block all IPv6 Incoming" pass in quick on $FAMILYLAN from 192.168.128.131 to 192.168.164.35 label "USER_RULE" block in quick on $FAMILYLAN from any to 192.168.164.35 label "USER_RULE" pass in quick on $FAMILYLAN from 192.168.128.0/24 to any label "USER_RULE: Default allow LAN to any rule" pass in quick on $SOFTCELLINTRA from 192.168.64.254/24 to any label "USER_RULE" # VPN Rules anchor "tftp-proxy/*"</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout>
BTW: After I dumped the "rules.dump" I tried to make a "floating rule" (I don't get it what's the difference to any other rule?)
But despite everything, it has no effect at all - All internal Hosts which have an IPv6 Address from the 6to4 VDSLTRUNK Interface are directly
reachable, though.Cheers,
4920441
-
As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
http://forum.pfsense.org/index.php/topic,65123.0.htmlRight, but that is another access I use. German Telekom does not equip every access with dual stack, the older ones are only IPv6 by 6to4.
Cheers,
4920441