DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default About Firewall for IPv6

Hi Guyz...

Do you know how to set firewall for IPv6 using IPFW?

or may be if you are using another firewall like PF, do you know how
to set it?

Thanks Guyz,

I will wait for your replied soon...
Reply With Quote
Reply With Quote
  #2   (View Single Post)  
Old 9th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Both ipfw and pf appear to support IPv6 filtering / ICMPv6 messages.

What does your ruleset look like now? Are you running into issues? If you haven't started yet (but you already know IPv6), then the manpages should get you moving in the right direction.
__________________
Kill your t.v.
Reply With Quote
  #3   (View Single Post)  
Old 9th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

this is my rule set with IPFW but it didn't work out:

ip6fw -q -f flush

cmd6="ip6fw -q add"

$cmd6 deny ipv6-icmp from any to any in via bfe0

Note:
The default rule in my kernel is: allow any any

Why my Rule didn't work?

Thanks...

Last edited by berlowin; 10th June 2008 at 03:25 AM.
Reply With Quote
  #4   (View Single Post)  
Old 9th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Try to give more information when you're asking for help. How did it "not work out"? Did you see an error that your rule contains invalid syntax? Did the rule get added, but it's not blocking the traffic you expected?

[ Side note: Be sure to read the BUGS section under the ip6fw(8) manpage. ]
__________________
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 9th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Quote:
Originally Posted by anomie View Post
Did the rule get added, but it's not blocking the traffic you expected?
YES, this is my problem... Sorry for my Bad English... I've already added the rules, but it's not blocking the traffic that i intend to...
Reply With Quote
  #6   (View Single Post)  
Old 9th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Can you post your full ruleset (in code tags)? One thing I notice is you're not including a rule number. Maybe it is not inserting the rule where you'd expect.

# ip6fw list <-- should do it
__________________
Kill your t.v.
Reply With Quote
  #7   (View Single Post)  
Old 9th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Sorry, it's not my rules fault, but it is my fault, i forgot to put the rule number.

This is my ip6fw list:
00501 deny ipv6-icmp from any to any in
65535 allow ipv6 from any to any

Last edited by berlowin; 9th June 2008 at 06:26 PM.
Reply With Quote
  #8   (View Single Post)  
Old 9th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Just so I am clear -- the problem is fixed now, or you are still having the problem?

If that's your ruleset (just two rules), and you are still having the problem, how do you test it? ping6 or what?
__________________
Kill your t.v.
Reply With Quote
  #9   (View Single Post)  
Old 10th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

NO...the problem is still working...

I test it with ping6 from the other host to my gateway, and it didn't response anything. I can't ping6 my own gateway from the gateway either after the rules have been applied...
Reply With Quote
Old 10th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

But you are intending to filter (deny) the ICMPv6 traffic, right? Is this not the behavior you would expect?

To check if the rule is being matched, you can check the packet count with:
# ip6fw show

If you want to allow ping6, then you should not be filtering ICMPv6 traffic.
__________________
Kill your t.v.
Reply With Quote
Old 10th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Yes, the RULE is working...

But, i only want to block traffic from outside, not inside... My server can't ping6 to every host in my network, included ping6 to itself...

And from the client host, can't telnet or ssh to my server after the RULE was applied...
Reply With Quote
Old 10th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Ok, I think I see what you are saying. When you add that rule, you're not able to ping from that host (to anywhere) any more. But when you remove the rule it is working properly.

Now two things:
  1. You need to open up communication on the loopback interface. (So you will need another rule.)
  2. I don't see a way in ip6fw(8) to allow "stateful" ICMPv6 connections. And, to be honest, I am not an ICMPv6 expert by a long stretch, so maybe I am being silly to think it should exist.

WRT the second point, what I would suggest experimenting with is allowing in ICMPv6 echo replies. e.g.:
Code:
# ip6fw -q add 100 allow ipv6-icmp from any to any in icmptypes 129
I have not tested that rule, so you may need to tweak it. But I hope you can understand what I'm getting at. (See IANA specs for ICMPv6 type descriptions.)
__________________
Kill your t.v.
Reply With Quote
Old 14th June 2008
harisman's Avatar
harisman harisman is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Hellas (Greece)
Posts: 66
Default

A little off topic I guess, but related with ipv6 security

Practically, it is necessary for a FreeBSD workstation to use ipv6 at this time? (I know that it will be the next decade).

I have disable ipv6 support on my workstation to disable unused services to strengthen my security .

It is worth enabling and filtering ipv6 since the most of world still uses ipv4? What is your opinion?
Reply With Quote
Old 14th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

@harisman: IMO, it's better to start up a new thread. There are likely many opinions on that topic.

For me (personally) it is more practical to shut off ipv6. I don't have any use for it yet.

@berlowin: What happened to you? Did you solve the issue? Post back on your progress for posterity's sake, please.
__________________
Kill your t.v.
Reply With Quote
Old 17th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

@anomie
Sorry i have been busy since my last post, anomie.
I want to go to my campus now to test the rule that you advice me. It seems that the icmptypes for ipv6 is different from icmptypes ipv4.
I have already read your reference.
Thanks for your support anomie, i will reply you soon after i test it on my gateway.
By the way, if you don't mind, may i add your YM address or MSN address?
(if you have it)

@harisman
Yes i know that ipv6 is not being used in most of the country (i thought same thing like you). But, if you have already read the article about ipv6 and what are the features they offer, may be you will think it twice.
Because technology always develop and develop and if we can't follow it, it will make us an "oldman".
Reply With Quote
Old 17th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by berlowin
Thanks for your support anomie, i will reply you soon after i test it on my gateway.
Cool - thanks for following up.

BTW, I do not really use chat clients. It's generally better to just post your questions here on the forums.
__________________
Kill your t.v.
Reply With Quote
Old 18th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Hi anomie,

The rule that you have told me is working, but what i want is icmptypes 128 (not 129)...

Because when I put 129, my gateway can't ping to anywhere.

Referred to IANA specification for icmptypes in IPv6:
- 128 means echo request
- 129 means echo reply

So, the best rule for my gateway is to implement 128.

This is my Rules:

cmd6="ip6fw -q add"

$cmd6 check-state
$cmd6 00501 allow ipv6-icmp from 2001::6:111 to any in icmptypes 128 via ed0
$cmd6 00502 deny ipv6-icmp from any to any in icmptypes 128 via ed0


Notes:
The word "me" is not used again in the ipv6. do you know why? because when i changed the word "any" to "me", the rule didn't work.

LAst question:
I don't know the rules to block ssh and telnet. I've already done this:
$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0

But after i display the ip6fw list, i didn't find the rules for blocking ssh and telnet.

Thanks for your attention.
Reply With Quote
Old 18th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by berlowin
The word "me" is not used again in the ipv6. do you know why? because when i changed the word "any" to "me", the rule didn't work.
I don't see the me keyword/alias documented in the ip6fw(8) manpages. It is documented in the ipfw(8) manpages.

Quote:
Originally Posted by berlowin
I don't know the rules to block ssh and telnet. I've already done this:
$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0

But after i display the ip6fw list, i didn't find the rules for blocking ssh and telnet.
Is that a typo? Your allow rule is not going to block anything.
__________________
Kill your t.v.
Reply With Quote
Old 18th June 2008
berlowin berlowin is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Quote:
Originally Posted by anomie View Post

Is that a typo? Your allow rule is not going to block anything.
Sorry, it's not typo but not completed. this is the complete rules:

$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0
$cmd6 00504 deny tcp from any to any 22,23 in via ed0


And the output of ip6fw list didn't show anything related to ssh and telnet.
Reply With Quote
Old 18th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

I don't see anything obviously syntactically wrong with those rules. Some questions are: 1) do those commands to ip6fw cause an error; 2) when you list your ruleset, do you see rule numbers 503 and 504 (instead of looking for ssh/telnet rules)?
__________________
Kill your t.v.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
FreeBSD and IPv6 bichumo General software and network 4 21st November 2008 07:23 AM
Book/website recommendations for IPv6 programming mdh Programming 3 7th November 2008 07:53 PM
IPV6 capability no go chris General software and network 3 3rd October 2008 07:28 PM
Asking about IPv6 address berlowin Off-Topic 2 9th July 2008 02:39 AM


All times are GMT. The time now is 04:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick