OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: packet loss on August 10, 2016, 01:28:23 am

Title: IPv6 rules question
Post by: packet loss on August 10, 2016, 01:28:23 am

I haven't spent time examining the entire rules list until today. I expected that there wouldn't be IPv6 rules if I didn't have IPv6 enabled. I see that there's ICMP IPv6 rules that apparently are required for IPv6 but not for IPv4. Is there an easy way to completely remove IPv6 rules?

Edit: Okay so I was looking at my /tmp/rules.debug file and the following rules were listed:

Code: [Select]

# block bogon networks (IPv4)
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any  label "block bogon IPv4 networks from WAN"
# block bogon networks (IPv6)
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
antispoof log for $WAN
# block anything from private networks on interfaces with the option set
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
Aren't the 6 rules below the bogons and bogonsv6 table rules redundant? Those 6 rules seem to do exactly what the bogons rules do.

Title: Re: IPv6 rules question
Post by: franco on August 11, 2016, 10:17:46 am

Hi Shane,

IPv6 cannot be completely disabled, but you can set the firewall to drop all IPv6 (except link-local as e.g. Squid requires this for startup). The setting is under Firewall: Settings: Advanced.

ICMPv6 is vital to IPv6, unlike IPv4.

Confusingly, the bogons used in *sense are not normal bogons, they are split into private and non-private addresses. So the <bogons> and <bogonsv6> tables drop all non-private bogons and the other rules the private ones.


Cheers,
Franco