General IP Protocols - IP Protocol 41 - IPV6, but other questions



  • http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

    and

    http://www.networkworld.com/article/2232349/cisco-subnet/can-we-block-all-ipv6-tunnels-in-our-enterprise-network-.html

    So, I know there is a list of protocols in a dropdown that I can select when creating firewall rules, but what about all the other ones in the list.

    I am thinking this may be a pretty noob question depending who answers it but what if I wanted to block any of that stuff?  It is just not going to route by default because…well because why?

    I was looking to block IP protocol 41 but could not find a way to do it.  Do I need to do this via command line?

    I see that there is a "Enable IPv4 NAT encapsulation of IPv6 packets" under System: Advanced: Networking.

    Thanks.



  • inbound connections would be blocked anyway, if you want to block outbound connection, you can add a manual outbound nat rule to block it (check off "do not nat".



  • How do I match Protocol 41?



  • Put this rule in Snort or Suricata, youll see if its on your network

    alert ip any any -> any any (msg:"IPv6 PROTOCOL Encapsulation"; ip_proto:41; classtype:non-standard-protocol; sid:770041; rev:1;)

    This one can help you identify "non standard" protocols.

    alert ip any any -> any any (msg:"PROTOCOL UDP/TCP/ICMP/IGMP Only"; ip_proto:!6; ip_proto:!17; ip_proto:!2; ip_proto:!1; classtype:policy-violation; sid:9999999; rev:1;)

    F.



  • Okay, I get all that.

    What I do not get is why I cannot specify the protocol in a normal webconfigurator firewall rule?

    
    proto <protocol>This	rule applies only to packets of	this protocol.	Common proto-
    	   cols	are icmp(4), icmp6(4), tcp(4), and udp(4).  For	a list of all
    	   the protocol	name to	number mappings	used by	pfctl(8), see the file
    	   /etc/protocols.</protocol> 
    

    I mean, pf takes proto as a option and /etc/protocols has a rather large standard list.  Why can I not specify sps/130 in the protocol option?

    Has this just not been implemented or is it expected to do this via command line/manually?

    Why can I not input the number or alias manually with an other feature in the web configurator?



  • Okay, I get all that.

    What I do not get is why I cannot specify the protocol in a normal webconfigurator firewall rule?

    Code: [Select]
    proto <protocol>This rule applies only to packets of this protocol. Common proto-
      cols are icmp(4), icmp6(4), tcp(4), and udp(4).  For a list of all
      the protocol name to number mappings used by pfctl(8), see the file
      /etc/protocols.

    I mean, pf takes proto as a option and /etc/protocols has a rather large standard list.  Why can I not specify sps/130 in the protocol option?

    Has this just not been implemented or is it expected to do this via command line/manually?

    Why can I not input the number or alias manually with an other feature in the web configurator?</protocol>

    Did you ever find an answer for this? I am currently blocking protocol 41 on the cisco router that does our vlan trunking but I would like to know if i can do this at the edge on our pfsense appliance.
    Most of what I read prior to CVE-2016-3213 seemed to indicate that teredo tunneling was safe (counter to what I would have initially thought). Guess I should have trusted my instincts.



  • For those still interested …

    I've just found that you can use other inet protocols editing the config.xml directly.

    How I've done it:

    • create a rule with protocol PFSYNC (or anyone else) using web interface

    • save rules

    • connect to firewall via ssh

    • edit config.xml with viconfig, find the rule and replace the pfsync protocol with the one you want (from /etc/protocols)

    After reload I've verified that the rule is in correctly loaded in rules table using

    pfctl -sr
    

    Config change have also been correctly synced by XMLRPC to second firewall node

    P.S.
    Don't try to edit that rule in web interface afterwards or it will reset the protocol to TCP


Log in to reply