Ubiquiti UDM Pro and pfSense— What is sending disallowed traffic (IPv6?)
If the traffic is blocked a number of times then stop sending it
Update: Rebuilt firewall, sent IPv6 traffic to Null route, and disabled all logging on gateways under System > Routes and seemed to stop. However I have not plugged in the UDM Pro since then and don’t plan to until I get a new device.
I’m looking at my logs and there’s constant IPv6 ICMP traffic coming out of the Ubiquiti UDM Pro even though it’s blocked on the network. You would think that a network device would detect if a protocol is not allowed external to it and stop sending it in that case, no?
Same goes for anything on pfSense, Apple, and Microsoft applications.
In addition there are many other ports, protocols and domains that are blocked that the UDM Pro tries to reach out to incessantly. The pfSense is a bit better as it only reaches out periodically for some things but for others it keeps passing the traffic. There seems to be no way anymore to completely turn off IPv6.
Any network device or OS or browser if programmed by people that understand networking should check to see if a protocol, port, domain or IP is blocked and stop sending to it. Perhaps you have a status panel showing what ports, protocols, IPs, or domains are blocked with a “test again” button that will reinitiate whatever was blocked.
I’m looking closer at this traffic and talked to someone who is an expert at one of these companies on the topic. It is not clear to me why this traffic is being generated. I have a very tight network on a newly factory reset pfSense. My localhost has a host-based firewall that blocks IPv6 from getting to the firewall. There is nothing else conected to the firewall at the moment. I turned off every conceivable option including all IPv6 settings, gateways, pingers, IPv6 network protocol services, and anything I could find on the box. It’s still sending a ton of IPv6 traffic repeatedly.
I tried to run lsof on the pfSense and the command is not available, at least from the command line option in the web gui. I’ll need to look into it more later but I cannot figure out what is sending that traffic so far.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
