Firewall has huge holes in it.



  • Because the IPv6 part of pfsense is just a mess, using wanaddress in the webinterface rather then the exact IP, .. the IPv6 isn't being filtered.

    To me when you, say block both ipv6 and ipv4 tcp 443, .. and you use target wanaddress they should both block the IPv4 and IPv6, .. however it isn't doing that at all. probably because the php part doesn't properly catch the IPv6 assigned to the WAN

    pfctl -sr | grep -i https
    block drop in log quick proto tcp from <webconfiguratorlockout> to any port = https label "webConfiguratorlockout"
    block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto tcp from ! 212.71.19.x/28 to 212.71.19.x port = https label "USER_RULE"
    block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto udp from ! 212.71.19.x/28 to 212.71.19.x port = https label "USER_RULE"
    block drop in log quick on pppoe0 reply-to (pppoe0 fe80::207:7dff:fe56:x) inet6 proto tcp from ! 2a02:578:x::/48 to 2a02:578:x::1 port = https label "USER_RULE"
    block drop in log quick on pppoe0 reply-to (pppoe0 fe80::207:7dff:fe56:x) inet6 proto udp from ! 2a02:578:x::/48 to 2a02:578:x::1 port = https label "USER_RULE"
    block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto tcp from ! 212.71.19.x/28 to 213.219.170.x port = https label "USER_RULE"
    block drop in log quick on pppoe0 reply-to (pppoe0 213.219.132.x) inet proto udp from ! 212.71.19.x/28 to 213.219.170.x port = https label "USER_RULE"</webconfiguratorlockout>
    

    See for the LAN it just works.