OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • IPv6 rules question
« previous next »
  • Print
Pages: [1]

Author Topic: IPv6 rules question  (Read 3330 times)

packet loss

  • Full Member
  • ***
  • Posts: 134
  • Karma: 26
    • View Profile
IPv6 rules question
« on: August 10, 2016, 01:28:23 am »
I haven't spent time examining the entire rules list until today. I expected that there wouldn't be IPv6 rules if I didn't have IPv6 enabled. I see that there's ICMP IPv6 rules that apparently are required for IPv6 but not for IPv4. Is there an easy way to completely remove IPv6 rules?

Edit: Okay so I was looking at my /tmp/rules.debug file and the following rules were listed:

Code: [Select]
# block bogon networks (IPv4)
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any  label "block bogon IPv4 networks from WAN"
# block bogon networks (IPv6)
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
antispoof log for $WAN
# block anything from private networks on interfaces with the option set
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
Aren't the 6 rules below the bogons and bogonsv6 table rules redundant? Those 6 rules seem to do exactly what the bogons rules do.
« Last Edit: August 11, 2016, 09:59:35 am by azdps »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13936
  • Karma: 1208
    • View Profile
Re: IPv6 rules question
« Reply #1 on: August 11, 2016, 10:17:46 am »
Hi Shane,

IPv6 cannot be completely disabled, but you can set the firewall to drop all IPv6 (except link-local as e.g. Squid requires this for startup). The setting is under Firewall: Settings: Advanced.

ICMPv6 is vital to IPv6, unlike IPv4.

Confusingly, the bogons used in *sense are not normal bogons, they are split into private and non-private addresses. So the <bogons> and <bogonsv6> tables drop all non-private bogons and the other rules the private ones.


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • IPv6 rules question
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2