DHCPv6 ports open but no service configured

Started by opnsenuser, March 04, 2019, 10:57:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 04, 2019, 10:57:18 AM
Hi everyone,
I'm running the latest release 19.1.2...
In the pfinfo, Tab: Rules I have some rules that have the following comment @ the end "allow access to DHCPv6 on LAN", but there is no DHCPv6 server active. Is this a Bug??

greetings
opnsenuser
March 04, 2019, 07:26:28 PM #1
I would imagine that by default it will always allow access to its own dhcp servers on the LAN, even if you do not have it running.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 05, 2019, 10:41:36 AM #2
Hi,

Quote from: marjohn56 on March 04, 2019, 07:26:28 PM
I would imagine that by default it will always allow access to its own dhcp servers on the LAN, even if you do not have it running.

Why is there a need for open port, if no service is running?
Firewallports should only be open if they are required.

Looking in the github repo for the cause... but so far no findings :(

greetings
opnsenuser
March 05, 2019, 01:23:05 PM #3
It's on the LAN side so not an issue and nothing is listening there anyway. If you feel strongly about it put a rule in to close it, just don't forget you've put it there if ever you need to run a dhcp server.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 05, 2019, 06:45:11 PM #4
Hi,
then the text below the interfaces is wrong "... Everything that isn't explicitly passed is blocked by default."
That should be valid on every interface even the LAN. Only if a service on the firewalls interface is active, the required ports should be open.
Or am I wrong??

greetings
opnsenuser
March 05, 2019, 06:52:48 PM #5
If you feel its an issue then please raise an issue on Github.


https://github.com/opnsense/core/issues
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 05, 2019, 07:11:35 PM #6
March 05, 2019, 07:45:05 PM #7
This IPv6 cluster f**k is a REAL pain. How to stop this completely? Same with built-in firewall in opensuse distributions: OOTB there is a port open for IPv6 DHCP, although everything (literally, at 3 different places in the configs) related to IPv6 is DISABLED.

Is this an NSA/GCHQ requirement, to have that in each and every software/device running? I don't want protocols I can't control with devices assigning themselves half a dozen of addresses and spamming the network with broadcast of all kind until you kill each and every instance on each and every machine. And 3 updates later the same trash is active OOTB again.

Sorry, but...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 05, 2019, 07:51:23 PM #8
(:
Print
Go Up Pages1
User actions