Would that be true even though the log says, "block out" for vether0? I assumed that meant it was exiting vether0 and going into the bridge.
I am planning on trying this out in a VM over the weekend to see if I can replicate it, because t only seems to happen when IPv6 is not set up on any adapters in the system. My current system is in operation as a router right now. I will make instructions as I do it. -Brian On Mon, Dec 17, 2018, 7:45 PM Stuart Henderson <[email protected] wrote: > On 2018/12/16 19:54, Brian Dicks wrote: > > Hello, > > > > I noticed while configuring rules for PF that my machine is sending > router > > solicitations down the vether0 interface, even though I did not enable > > inet6 on it. If I run ifconfig, there are no entries for inet6. My setup > is > > as follows: > > > > I have re0 (motherboard ethernet), re1 (ethernet card with single port), > > and re2-re5 (multiport nic). re0, re2, re3, re4, and re5 are bridged with > > vether0. re1 is used for egress; all other are for an internal network. > > > > pf is set to pass all in and out of re0, re2, re3, re4, and re5. PF is > set > > to default deny. There are no rules that are set that allow IPv6 to pass. > > IPv6 is enabled for the loopback device. > > > > Even though vether0 does not have inet6 enabled on it, the system is > still > > sending router solicitations. I get the following in the pflog: > > > > block out on vether0: fe80::xxxx:xxxx:xxxx:xxxx > ff02::2: icmp6: router > > solicitation > > > > I replaced the exact LL address with X values, but that address does not > > appear in ifconfig. > > > > I was concerned that this could potentially be a security vulnerability, > > but I don't have the equipment to test if the solicitation makes it onto > > the internal network. > > > > Thank you, > > Brian > > Seems more likely that it's from some other device on one of your bridged > ports. Check the MAC address (either decoded from the fe80:: v6 address > or run tcpdump -e and check it there) against machines on your network. > >
