News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Bug Reports  >  Resolved
linktree Topic: 1.3b16: IPv6 Firewall Rules don't work anymore
Pages: [1]
Topic: 1.3b16: IPv6 Firewall Rules don't work anymore  (Read 6057 times)
« on: May 06, 2009, 09:04:27 »
Fraunhofer-Fokus *
Posts: 4
Hello *,

very likely I found a bug in 1.3b16. We are testing the m0n0wall as IPv6 firewall only, using IPv4 just for management access.

In 1.3b15 the following LAN IPv6 rule  worked (only this rule is in effect on the LAN interface):
<rule6>
   <type>pass</type>
   <interface>lan</interface>
   <source>
      <address>2001:xxxx:yyyy::/48</address>
   </source>
   <destination>
      <any/>
   </destination>
   <descr>permit any outgoing</descr>
</rule6>

In 1.3b16 all outgoing LAN traffic is blocked, I had to modify the rule, so that the source address range now is "any".
<source>
   <any/>
</source>

Seems that filtering according to IPv6 address ranges is broken... I did not test, whether this only happens, when using IPv6 address ranges in source specification or if this also happens, when using destination ranges...

Thanks!
« Reply #1 on: May 07, 2009, 16:41:08 »
Fraunhofer-Fokus *
Posts: 4
Hello *,

some more tests revealed that IPv6 rules with network ranges effectively are ignored in 1.3b16, regardless whether the network range is used in the source or destination field. This behaviour is indepent from the action (block or pass).

Rules using "single host" definitions as source or destination DO work, however... Rules using "LAN-network" seem to work as well.

Thanks!
« Reply #2 on: May 12, 2009, 01:43:35 »
brushedmoss ****
Posts: 446
what did your firewall log show ?
« Reply #3 on: May 12, 2009, 15:03:53 »
Fraunhofer-Fokus *
Posts: 4
nothing was seen in the firewall log (as if the rule is completely ignored).
« Reply #4 on: May 12, 2009, 22:50:14 »
brushedmoss ****
Posts: 446
can you post the relevant lines from status.php ? 

i.e. /status.php#ipfstat -6 -nio

and

/status.php#unparsed IPv6 ipfilter rules

and make your addresses anonymous if possible :-)
« Reply #5 on: May 14, 2009, 08:56:04 »
Fraunhofer-Fokus *
Posts: 4
We have these IPv6-firewall definitions in place:

<rule6>
        <type>pass</type>
        <interface>opt1</interface>
        <source>
                  <address>2001:xxxx:yyyy:f000::/52</address>
        </source>
        <destination>
                  <any/>
        </destination>
        <descr/>
</rule6>
<rule6>
        <type>pass</type>
        <interface>opt1</interface>
        <source>
                  <any/>
        </source>
        <destination>
                  <any/>
        </destination>
        <descr/>
</rule6>


In 1.3b15 this translates to (only relevant part is shown):
pass in quick from 2001:xxxx:yyyy:f000::/52 to any keep state group 10300 
pass in quick from any to any keep state group 10300


But in 1.3b16 this results in:
pass in quick from any to any keep state group 10300


The same is displayed in the ipfstat -6 -nio lines:

1.3b15:
# Group 10300
@1 pass in quick from 2001:xxxx:yyyy:f000::/52 to any keep state group 10300
@2 pass in quick from any to any keep state group 10300


1.3b16:
# Group 10300
@1 pass in quick from any to any keep state group 10300


As I have described: it seems that lines containing network ranges are just ignored (parsing problem or problem with the subnet range?).

Thanks!
« Reply #6 on: May 16, 2009, 19:42:13 »
Manuel Kasper
Administrator 		*****
Posts: 364
This is indeed a bug introduced with 1.3b16 (relating to alias expansion). I've just committed a fix to the repository, and it will be in 1.3b17. Thanks for reporting this issue!
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines