General question about IPV6 protocol.

Alain De Vos

Daemon

Reaction score: 354
Messages: 1,318

Does someone understands the IPV6 protocol ?
When I ask how do I configure an IPV6 protocol firewall I never get any answer.
So the general notion about IPV6 protocol is trust your provider fully.
This let me to believe their is something inherently wrong with the IPV6 protocol or the way it is implemented and understood.
 

Zirias

Daemon

Reaction score: 1,320
Messages: 2,346

It seems to be religious indeed, to say the least. Given many consumers don't get public IPv4 addresses from their ISPs any more (reality for years in mobile networks, more and more common with cable and DSL), what do you think now?

At the OP: What exactly is the question? Cause, in a nutshell, you write rules for IPv6 in the same way as you did for IPv4.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 354
Messages: 1,318

Question was, is IPV6 protocol understandable for a normal human being like me.
If so, it should be easy to give me a good, performant, working, and safe, ipv6 firewall ruleset.
 

Zirias

Daemon

Reaction score: 1,320
Messages: 2,346

Question was, is IPV6 protocol understandable for a normal human being like me.
Although IPv6 is indeed a bit more than just IPv4 with 128 bits, the basic principles are still (roughly) the same, so I don't see why not.
If so, it should be easy to give me a good, performant, working, and safe, ipv6 firewall ruleset.
This isn't possible with IPv4 and won't be possible with IPv6 either. What will always be possible is show some examples for specific usecases. For example with pf, you can often use the very same rules, and rules written against interfaces or their attached subnets will automatically apply to both IPv4 and IPv6 unless explicitly using addresses of the one or the other family.
 

obsigna

Daemon

Reaction score: 843
Messages: 1,244

This is a somewhat religious topic, so this is going to be my sole contribution:
IMHO, a very good writeup from D. J. Bernstein which hits the nail in the center of its head with a deviation of max. a few nanometers. However, he got it a little bit wrong with this statement:
“The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space.“
This was not a casual mistake, this was by purpose. Who reads some boring texts sometimes and got a good memory, remembers that one of the main principles of the inventors of IPv6 was the Internet Transparency and End to End principle -- https://tools.ietf.org/html/rfc4924. Basically this means that there are no opaque barriers like NAT in the middle of the IP traffic, and this let to absurd discussions on how to prevent/subvert/sabotage any kind of NAT64 -- https://tools.ietf.org/html/rfc5902. Bottom line:
As such, we strongly encourage the community to consider end-to-end
transparency as a requirement when proposing any solution, whether it
be based on tunneling or translation or some other technique.
Solutions can then be compared based on other aspects such as
scalability and ease of deployment.
See also: Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status -- https://tools.ietf.org/html/rfc4966

The NAT-PT would have been a quite easy to implement interoperability solution, but no, the IPv6 work group wanted to force everybody to run either dual stack or IPv6 only on any single device.

This end-to-end-transparancy dogma hindered interoperability of IPv4 and IPv6 for a very very long time. For example, only with FreeBSD 12 NAT64 or NAT46 (a quite simple interoperability solution) has landed in ipfw(8), more than 20 years after IPv6 became standard.

Now the question still remains, for what would YOU want End-to-End Transparency? For what all the trackers want it, is absolutely clear, though. No need to place this complicated, now less and less tolerated cookies on the users machine. They got this nice unique IPv6 address, the wet dream of Google, Facebook, Twitter, ..., isn’t it. But then, oh no, NAT64 :-D
 
Last edited:
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 354
Messages: 1,318

On this forum i have found zero ipv6 firewall rulesets.
Maybe an ipv6 firewall is not needed ?
Maybe nobody uses an ipv6 firewall ?
 

ralphbsz

Son of Beastie

Reaction score: 2,097
Messages: 3,062

No, you still need a firewall. With IPv4, most households or small organizations are NATed, meaning inside hosts are not reachable from the outside. With IPv6, if you get a large enough address range, by default all your inside hosts are suddenly reachable. So you still need a firewall to close that off.
 

chrbr

Aspiring Daemon

Reaction score: 346
Messages: 863

Maybe nobody uses an ipv6 firewall ?
At least the FreeBSD firewall templates implement a few IPv6 rules. Below is the output of the firewall_type="workstation" setting activated in /etc/rc.conf.
Code:
# ipfw list|grep ipv6
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01600 allow ipv6-icmp from me to any keep-state :default
02200 allow ipv6-icmp from any to any icmp6types 128,129
02400 allow ipv6-icmp from any to any icmp6types 3
 

Zirias

Daemon

Reaction score: 1,320
Messages: 2,346

No, you still need a firewall. With IPv4, most households or small organizations are NATed, meaning inside hosts are not reachable from the outside. With IPv6, if you get a large enough address range, by default all your inside hosts are suddenly reachable. So you still need a firewall to close that off.
Same thing as in the other thread: this is *mostly* true. Still, the purpose of NAT is slightly different in that you try to route as many packets as possible (so e.g. for UDP, it makes sense to let packets from a *different* remote host through when arriving on the same mapped socket), while a typical "connection tracking" firewall (called "keep state" in some configurations) tries to identify individual connections and only allow "answering" packets to pass from the outside.

As for specific firewall rules: The simple "pf" rules you find in the handbook don't even distinguish between IPv4 and IPv6 and will work for both. Of course, the "nat" rule will only apply to IPv4. https://docs.freebsd.org/en_US.ISO8859-1/books/handbook/firewalls-pf.html

There are differences of course, like ICMPv6 has more types and is used for more things, so if you want to filter ICMPv6, you need different rules than with IPv4. Also, there are some concepts IPv4 didn't have, like "link-local" addresses.

The "perfect ruleset" for anyone doesn't exist, as it didn't for IPv4. Simple examples can be a good starting point.
 

vigole

Daemon

Reaction score: 1,239
Messages: 1,140

IPv6 itself is not complicated, but its numerical representation is rather cryptic and scary. Also, it's (rather) new.
Hence less people are willing to deep dive into subject, thus there's less written article/content on the internet.
 

obsigna

Daemon

Reaction score: 843
Messages: 1,244

Trihexagonal

Daemon

Reaction score: 1,821
Messages: 2,400

Zirias said:
The "perfect ruleset" for anyone doesn't exist, as it didn't for IPv4. Simple examples can be a good starting point.
Mine is perfect for me and covers IPv6. I just want to Block and it does that nicely:

/etc/pf.conf
### Macro name for external interface
ext_if = "bge0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
 

Mjölnir

Daemon

Reaction score: 1,495
Messages: 2,114

Mine is perfect
It's not. Read on.
for me and covers IPv6. I just want to Block and it does that nicely:
[...]
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
Usually, I'm taking great efforts to follow your advice, priest. Now please be so generous & let's both go reverse:
  1. (minor flaw): rename that list of ports to s/th like dangerousBeaSDs or similar, whatever you like, but not netbios_xxx. I would accept net_bisons_xxx 'cause it's funny, but not netbios, since it's plain wrong.
  2. more importantly, because X11 uses ports 6000-6063 (reserved), and in rare cases even more:
    adjust that 6000, 6010 to be a list 6000-6063 or beyond, e.g. up to 6100.
Thank you in advance, sincerely yours.
 

Trihexagonal

Daemon

Reaction score: 1,821
Messages: 2,400

It's not. Read on.

Usually, I'm taking great efforts to follow your advice, priest. Now please be so generous & let's both go reverse:
  1. (minor flaw): rename that list of ports to s/th like dangerousBeaSDs or similar, whatever you like, but not netbios_xxx. I would accept net_bisons_xxx 'cause it's funny, but not netbios, since it's plain wrong.
  2. more importantly, because X11 uses ports 6000-6063 (reserved), and in rare cases even more:
    adjust that 6000, 6010 to be a list 6000-6063 or beyond, e.g. up to 6100.
Thank you in advance, sincerely yours.
1. I wrote this more than 10 years ago and believe I'll leave the macro named just like it is.
2. Already blocked.

### Default deny everything
block log all
 
Top