[2.1] ICMPv6 firewall logs



  • Hi,
    since pfsense 2.1 I have strange log entries under System Logs -> Firewall.
    Every 1-5 seconds I have the following log entry:

    
    act     time                    if      source          dest            Proto
    block	Sep 20 00:49:45 	WAN     [fe80::1] 	[ff02::1] 	ICMPv6
    
    

    I try to disable these log entry but it does not work. I do not have ipv6 and completely disabled it. Under System -> Advanced -> Networking IPv6 is not enabled. I also have try a filtering rule under each interface with blocking any ipv6 proto without any logging. But I always get these log entry.
    Does anybody have this issue and have a hint for me?

    Greetings schirrmie



  • My firewall logs are also in IPv6 since the upgrade to 2.1. They were in IPv4 until the upgrade and I haven't been able to find the option to make the logs display IPv4.



  • Other log entries are in ipv4. Only these are in IPv6. IMHO is this correct because of ICMPv6. But why these are logged and how to disable these?



  • You have a machine in your network with IPv6 activated. The host is searching the routers at IP ff02::1. If you don't want to see them, add a reject rule with no log



  • Hmm, the interface is allways WAN and the source is [fe80::1]. IMO is this local loopback, so the source is pfsense, right? I write it before I have on any interface at the top a rule with blocking all IPv6 without logging but it does not work.

    Greetings
    schirrmie



  • Are there any news on this?
    I ran in the same issue and couldn't find any solution until now.
    Please help :)



  • If you are not using IPv6, add a floating rule with block, no logging, select all interfaces, source any, destination any



  • @jflsakfja:

    If you are not using IPv6, add a floating rule with block, no logging, select all interfaces, source any, destination any

    The logging behavior did change.  The 'Log packets blocked by the default rule' did not used to apply to ipv6 implicit rule that was enabled when ipv6 was disabled.  It was changed so that now it does.

    Adding the floating rule with block and no logging for ipv6 will not work if you have 'Log packets blocked by the default rule' enabled in Status -> System logs -> Settings.  The default implicit (hidden by the gui) block rule logs ipv6 traffic when ipv6 traffic is disabled in System -> Advanced -> Networking.

    Ideally there would be a 'Log packets blocked by the default rule' setting for ipv4 and ipv6 separately or just not log ipv6 when ipv6 is disabled.

    You can disable the 'Log packets blocked by the default rule' and then add your own rule at the top of the floating rules to block all ipv4 and log (do not enable 'QUICK' option) so that the default action for ipv4 will be to log blocked packets that don't match user rules.  Then all ipv6 should be dropped without logging.

    EDIT:  If any other implicit rules block ipv4 packets without specifically logging them then they will not be logged because they are before a floating rule you create with log specified.

    You can edit the /etc/inc/filter.inc file and remove the '$log' from the ipv6 implicit block rules.  Then only ipv4 will get logged by default when 'Log packets blocked by the default rule' is set.  This is how I handle it but it requires you to edit it again when you upgrade pfsense.



  • I've had logging enabled for the default rule and the floating rule for ipv6 and no ipv6 is getting logged.



  • @jflsakfja:

    I've had logging enabled for the default rule and the floating rule for ipv6 and no ipv6 is getting logged.

    Then I assume you have ipv6 enabled on your firewall in System -> Advanced -> Networking.  With ipv6 enabled the default ipv6 block and log will not be put into the rules… or... you don't have any ipv6 traffic on your network?



  • IPv6 disabled, logging default rule enabled, IPv6 traffic on network, floating rule created as I said.

    No ipv6 logs show up. No that's not correct.

    ipv6 logs were shown in the past, before adding the floating rule. Since the exact microsecond the floating rule was saved, loaded into the running configuration and was operational, NO further logs about ipv6 were logged. Nothing, absolutely not a single trace of logs. Did I mention that was after adding the floating rule? Did I mention that it did log in the past and after the floating rule it stopped? You do know that floating rules have a priority over other rules and are the first to be evaluated, right? Since the rule says don't allow this traffic, and also don't log this traffic, then NO logging will happen if you put a floating rule. That's not entirely correct and I will get flamed for it, so I'll clarify it further: THE RULE NEEDS TO HAVE THE QUICK MATCH ENABLED. That means that on a packet matching this rule, don't process that packet further, take the action dictated by the rule.

    So, in summary:
    If you are not using ipv6, add a floating rule with no logging enabled, quick match enabled.

    My mistake for not mentioning the quick match option in my first post.



  • With the latest releases of pfsense (2.1.1 and 2.1.2)… When 'Allow ipv6' is unchecked there is an implicit QUICK rule that goes before any floating rules that blocks ipv6.  If 'Log packets blocked by the default rule' is also checked then those block rules will also log the ipv6 packets.  No floating rule with ipv6 will change that behavior because floating rules come after the implicit.  I don't know why you are not seeing the same behavior if 'Allow ipv6' is unchecked.

    	if(!isset($config['syslog']['nologdefaultblock']))
    		$log = "log";
    	else
    		$log = "";
    
    	if(!isset($config['system']['ipv6allow'])) {
    		$ipfrules .= "# Block all IPv6\n";
    		$ipfrules .= "block in {$log} quick inet6 all label \"Block all IPv6\"\n";
    		$ipfrules .= "block out {$log} quick inet6 all label \"Block all IPv6\"\n";
    	}
    
    

    If default logging of blocked packets is enabled and 'Allow IPv6' is unchecked the following rules will be inserted before any user configurable rules…

    
    # Block all IPv6
    block in log quick inet6 all label "Block all IPv6"
    block out log quick inet6 all label "Block all IPv6"
    
    

    This comes before any user rules (floating or otherwise) so no user rules should be able to change the logging when both of those conditions are met ('Log packets blocked by the default rule' checked and 'Allow IPv6' unchecked).  If 'Log packets blocked by the default rule' is not checked then all ipv6 packets would be blocked without logging.  You could not add any floating rule that would change the implicit QUICK behavior rules.