Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall has huge holes in it.

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 930 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ofloo
      last edited by

      Because the IPv6 part of pfsense is just a mess, using wanaddress in the webinterface rather then the exact IP, .. the IPv6 isn't being filtered.

      To me when you, say block both ipv6 and ipv4 tcp 443, .. and you use target wanaddress they should both block the IPv4 and IPv6, .. however it isn't doing that at all. probably because the php part doesn't properly catch the IPv6 assigned to the WAN

      pfctl -sr | grep -i https
      block drop in log quick proto tcp from <webconfiguratorlockout> to any port = https label "webConfiguratorlockout"
      block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto tcp from ! 212.71.19.x/28 to 212.71.19.x port = https label "USER_RULE"
      block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto udp from ! 212.71.19.x/28 to 212.71.19.x port = https label "USER_RULE"
      block drop in log quick on pppoe0 reply-to (pppoe0 fe80::207:7dff:fe56:x) inet6 proto tcp from ! 2a02:578:x::/48 to 2a02:578:x::1 port = https label "USER_RULE"
      block drop in log quick on pppoe0 reply-to (pppoe0 fe80::207:7dff:fe56:x) inet6 proto udp from ! 2a02:578:x::/48 to 2a02:578:x::1 port = https label "USER_RULE"
      block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto tcp from ! 212.71.19.x/28 to 213.219.170.x port = https label "USER_RULE"
      block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto udp from ! 212.71.19.x/28 to 213.219.170.x port = https label "USER_RULE"</webconfiguratorlockout>
      

      See for the LAN it just works.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.