IPv6 block by default?

[zac999]

Hello,
Server - FreeBSD - work as a gateway. On the network interfaces are only set IPv4 address, NAT - IPv4 adn firewall - filter IPv4 packets.
The question is: Will IPv6 traffic from hosts (on LAN side) be block or pass (on the hosts are set IPv4 and IPv6 address)?
Sorry for my english.
Thanks.

 

[SirDice]

Server - FreeBSD - work as a gateway. On the network interfaces are only set IPv4 address, NAT - IPv4 adn firewall - filter IPv4 packets.
The question is: Will IPv6 traffic from hosts (on LAN side) be block or pass (on the hosts are set IPv4 and IPv6 address)?

Just like with IPv4, routing of IPv6 needs to be turned on. For IPv4 there's gateway_enable, for IPv6 there's ipv6_gateway_enable.

If routing for IPv6 is not turned on explicitly it will not be routed (aka forwarded).

If there's no IPv6 address configured only the IPv6 link-local address would be available. Those addresses are only available on the same network segment and cannot be routed. But unless specifically turned on there will be no IPv6 addresses.

 

[junovitch@]

Regarding IPv4 and IPv6 one should understand that both can coexist without any interference. IPv6 packets pass IPv4-only-configured firewalls just as they were not existent.

What makes you think that? A dedicated IPv4 device won't recognize an IPv6 packet and would drop it. Default configuration is generally as an endpoint device which still would drop forwarding packets. You need to explicitly enable forwarding be it IPv4 or IPv6. They are no different in that regard. Generally where they are different is that IPv6 does generate a link-local address that stuff in the local network can talk to.

 

[kpa]

IP level firewall like PF will block all unknown traffic and that includes IPv6 if it's not configured to pass it. IPv6 is transported using exactly the same kind of data packets as is IPv4 and the only difference is in format of the addresses and some minor details like interfaces scope for addresses that doesn't exist for IPv4. You really need to stop jumping to conclusions without actually thinking for a while about how things might be.

Before you have time to bring it up, I'm fully aware of Teredo and the likes and how they can be used to punch holes to IPv4 firewalls and form IPv6 connections that pass all firewall rules. That is however a result of a tunneling technique and even that can be controlled quite easily.

 

[junovitch@]

Firewall or not, if you're dealing with an old OS that does not have IPv6 or something where it was turned off in the kernel, it won't be recognized and can't be passed. As far as the usual OSI model, layer 3 packets are all a bit different between IPv4, IPv6, IPX, Appletalk, etc. Around that the other layers don't care too much. Layer 2 frames use MAC addresses still. Layer 4 TCP/UDP still works the same on IPv4 as it does on IPv6.

 

[kpa]

My reply was to @getopt if it wasn't clear. I just forgot to use quote.