Firewall Rules - IPV6 Protocols filtered out by etc/inc/filter.inc

Started by mb`, May 10, 2020, 09:49:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2020, 09:49:45 PM
I am trying to create a filter to allow packets with ipv6-frag protocol, but I was surprised to see it isn't possible without tinkering.

Looking around, the file /usr/local/etc/inc/filter.inc has this:

Code Select
    /* IPv6 extension headers are skipped by the packet filter, we cannot police them */
    $ipv6_ext = array('IPV6-ROUTE', 'IPV6-FRAG', 'IPV6-OPTS', 'IPV6-NONXT', 'MOBILITY-HEADER');
I have commented out that line and the new rule created by it works without issue.

Does anyone know why this has been added?
May 13, 2020, 08:29:29 PM #1
Fragmented packets are typically handled by first reassembling them with a normalization (scrub) rule and then passing them to the actual filter rules. So the filter rules shouldn't have to deal with fragments.

If fragments get blocked, my guess would be that normalization is disabled or the fragments are somehow malformed. Can you share some details about your use case?

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions