Automatically generated ICMP rules for IPV6 not passing taffic

Started by rocketraman, April 19, 2023, 01:04:11 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 21, 2023, 09:54:35 PM #15
Quote from: IsaacFL on April 20, 2023, 10:37:43 PM
The Bogons list includes 8000::/1  I think that includes the FE80

So yes block bogons will block link local.

Oh, you're right! 8000::/1 includes everything 8000 and above! Ipv4 has conditioned me to never consider anything less than a /8 on the CIDR.

At least now I know I'm not crazy -- but this seems like a questionable decision on the bogon list. Does anyone know if this has been raised an issue anywhere else?
April 21, 2023, 10:34:38 PM #16
Quote from: IsaacFL on April 21, 2023, 12:04:50 AM
I finally decided that you cannot use the Block Bogons for ipv6 as it breaks the protocol.

What I did was create an alias to download the bogons list directly from http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Then I created an alias for exclusions for !fe80::/10, !ff00::/8, !::1, and since I use NAT64 also !64:ff9b::/96.  I also use ULA internally, so I have an exclusion for the ULA prefix I am using too.

Then I created a another alias for bogons with the exclusions.

Why are you excluding ::1?
April 22, 2023, 12:30:34 AM #17
Coming in from any real interface? Why of course. It's not a valid source address on any wire.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 22, 2023, 12:47:26 AM #18
Quote from: pmhausen on April 22, 2023, 12:30:34 AM
Coming in from any real interface? Why of course. It's not a valid source address on any wire.

Exactly. In this context, excluding `::1` from the bogon list means allowing it i.e. not considering it a bogon. Hence my question.
April 22, 2023, 12:51:15 AM #19
Quote from: rocketraman on April 21, 2023, 10:34:38 PM
Quote from: IsaacFL on April 21, 2023, 12:04:50 AM
I finally decided that you cannot use the Block Bogons for ipv6 as it breaks the protocol.

What I did was create an alias to download the bogons list directly from http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Then I created an alias for exclusions for !fe80::/10, !ff00::/8, !::1, and since I use NAT64 also !64:ff9b::/96.  I also use ULA internally, so I have an exclusion for the ULA prefix I am using too.

Then I created a another alias for bogons with the exclusions.

Why are you excluding ::1?

I don't remember but it must have been showing in firewall logs under my bogon block rule so I excluded it?
April 22, 2023, 12:53:32 AM #20
Quote from: rocketraman on April 22, 2023, 12:47:26 AM
Quote from: pmhausen on April 22, 2023, 12:30:34 AM
Coming in from any real interface? Why of course. It's not a valid source address on any wire.

Exactly. In this context, excluding `::1` from the bogon list means allowing it i.e. not considering it a bogon. Hence my question.

The default deny rule would catch it, but I am questioning it myself now.
April 22, 2023, 01:03:16 AM #21
Quote from: rocketraman on April 21, 2023, 09:54:35 PM
Quote from: IsaacFL on April 20, 2023, 10:37:43 PM
The Bogons list includes 8000::/1  I think that includes the FE80

So yes block bogons will block link local.

Oh, you're right! 8000::/1 includes everything 8000 and above! Ipv4 has conditioned me to never consider anything less than a /8 on the CIDR.

At least now I know I'm not crazy -- but this seems like a questionable decision on the bogon list. Does anyone know if this has been raised an issue anywhere else?

I question it myself cause it since it is in the autogenerated rules you can't override it.  I especially don't understand the ULA prefix because they are technically allowed to be routed at least locally. Site level Multicast prefix maybe also, though opnsense doesn't support that.
June 02, 2023, 04:38:50 PM #22
Hi,
I found this thread while I have similar problems to cleanup our firewall log files from wrongly blocked packets (preparing migration from pfSense to OPNsense business "OPNsense 23.4-amd64").

We are using

  • Telekom Speedport router which tries to send only DHCP ICMP messages.
    Since interface is setup to DHCPv6 these packages should be accepted ?
  • Fritz!Box Cable Router which checks for other meshed devices.
    Here I try to setup an accept/drop rule without logging.
Problem for both events is that these log lines:
Code Select

WAN108_Uplink_VDSL_Telekom 2023-06-02T16:05:05 fe80::1 ff02::1 ip Block bogon IPv6 networks from WAN108_Uplink_VDSL_Telekom
WAN110_Uplink_Cable_KD 2023-06-02T16:04:04 [fe80::ca0e:14ff:fe6c:4bcc]:53805 [ff02::1]:53805 udp Block bogon IPv6 networks from WAN110_Uplink_Cable_KD

can only be deactivated by deactivating "Block bogon networks" additional to "Block private networks" on their interfaces.

  • For 1st problem the "Block private networks" should already "override"/"whitelist" the private networks?
    Else it's same problem as in https://forum.opnsense.org/index.php?topic=23733.0
  • For both problems it should be somehow possible to prepend autogenerated rules with own rules but there seems no option for this case implemented yet?
Is there some special place for this request? So far I can see this forum seems the best one for my verrsion.
Print
Go Up Pages 1 2
User actions