About Firewall for IPv6

[berlowin]

Hi Guyz...

Do you know how to set firewall for IPv6 using IPFW?

or may be if you are using another firewall like PF, do you know how
to set it?

Thanks Guyz,

I will wait for your replied soon...
Reply With Quote

[anomie]

Both ipfw and pf appear to support IPv6 filtering / ICMPv6 messages.

What does your ruleset look like now? Are you running into issues? If you haven't started yet (but you already know IPv6), then the manpages should get you moving in the right direction.

[berlowin]

this is my rule set with IPFW but it didn't work out:

ip6fw -q -f flush

cmd6="ip6fw -q add"

$cmd6 deny ipv6-icmp from any to any in via bfe0

Note:
The default rule in my kernel is: allow any any

Why my Rule didn't work?

Thanks...

[anomie]

Try to give more information when you're asking for help. How did it "not work out"? Did you see an error that your rule contains invalid syntax? Did the rule get added, but it's not blocking the traffic you expected?

[ Side note: Be sure to read the BUGS section under the ip6fw(8) manpage. ]

[berlowin]

Quote:

Originally Posted by anomie

Did the rule get added, but it's not blocking the traffic you expected?

YES, this is my problem... Sorry for my Bad English... I've already added the rules, but it's not blocking the traffic that i intend to...

[anomie]

Can you post your full ruleset (in code tags)? One thing I notice is you're not including a rule number. Maybe it is not inserting the rule where you'd expect.

# ip6fw list <-- should do it

[berlowin]

Sorry, it's not my rules fault, but it is my fault, i forgot to put the rule number.

This is my ip6fw list:
00501 deny ipv6-icmp from any to any in
65535 allow ipv6 from any to any

[anomie]

Just so I am clear -- the problem is fixed now, or you are still having the problem?

If that's your ruleset (just two rules), and you are still having the problem, how do you test it? ping6 or what?

[berlowin]

NO...the problem is still working...

I test it with ping6 from the other host to my gateway, and it didn't response anything. I can't ping6 my own gateway from the gateway either after the rules have been applied...

[anomie]

But you are intending to filter (deny) the ICMPv6 traffic, right? Is this not the behavior you would expect?

To check if the rule is being matched, you can check the packet count with:
# ip6fw show

If you want to allow ping6, then you should not be filtering ICMPv6 traffic.

[berlowin]

Yes, the RULE is working...

But, i only want to block traffic from outside, not inside... My server can't ping6 to every host in my network, included ping6 to itself...

And from the client host, can't telnet or ssh to my server after the RULE was applied...

[anomie]

Ok, I think I see what you are saying. When you add that rule, you're not able to ping from that host (to anywhere) any more. But when you remove the rule it is working properly.

Now two things:

1. You need to open up communication on the loopback interface. (So you will need another rule.)
2. I don't see a way in ip6fw(8) to allow "stateful" ICMPv6 connections. And, to be honest, I am not an ICMPv6 expert by a long stretch, so maybe I am being silly to think it should exist.

WRT the second point, what I would suggest experimenting with is allowing in ICMPv6 echo replies. e.g.:

Code:

# ip6fw -q add 100 allow ipv6-icmp from any to any in icmptypes 129

I have not tested that rule, so you may need to tweak it. But I hope you can understand what I'm getting at. (See IANA specs for ICMPv6 type descriptions.)

[harisman]

A little off topic I guess, but related with ipv6 security

Practically, it is necessary for a FreeBSD workstation to use ipv6 at this time? (I know that it will be the next decade).

I have disable ipv6 support on my workstation to disable unused services to strengthen my security .

It is worth enabling and filtering ipv6 since the most of world still uses ipv4? What is your opinion?

[anomie]

@harisman: IMO, it's better to start up a new thread. There are likely many opinions on that topic.

For me (personally) it is more practical to shut off ipv6. I don't have any use for it yet.

@berlowin: What happened to you? Did you solve the issue? Post back on your progress for posterity's sake, please.

[berlowin]

@anomie
Sorry i have been busy since my last post, anomie.
I want to go to my campus now to test the rule that you advice me. It seems that the icmptypes for ipv6 is different from icmptypes ipv4.
I have already read your reference.
Thanks for your support anomie, i will reply you soon after i test it on my gateway.
By the way, if you don't mind, may i add your YM address or MSN address?
(if you have it)

@harisman
Yes i know that ipv6 is not being used in most of the country (i thought same thing like you). But, if you have already read the article about ipv6 and what are the features they offer, may be you will think it twice.
Because technology always develop and develop and if we can't follow it, it will make us an "oldman".

[anomie]

Quote:

Originally Posted by berlowin

Thanks for your support anomie, i will reply you soon after i test it on my gateway.

Cool - thanks for following up.

BTW, I do not really use chat clients. It's generally better to just post your questions here on the forums.

[berlowin]

Hi anomie,

The rule that you have told me is working, but what i want is icmptypes 128 (not 129)...

Because when I put 129, my gateway can't ping to anywhere.

Referred to IANA specification for icmptypes in IPv6:
- 128 means echo request
- 129 means echo reply

So, the best rule for my gateway is to implement 128.

This is my Rules:

cmd6="ip6fw -q add"

$cmd6 check-state
$cmd6 00501 allow ipv6-icmp from 2001::6:111 to any in icmptypes 128 via ed0
$cmd6 00502 deny ipv6-icmp from any to any in icmptypes 128 via ed0

Notes:
The word "me" is not used again in the ipv6. do you know why? because when i changed the word "any" to "me", the rule didn't work.

LAst question:
I don't know the rules to block ssh and telnet. I've already done this:
$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0

But after i display the ip6fw list, i didn't find the rules for blocking ssh and telnet.

Thanks for your attention.

[anomie]

Quote:

Originally Posted by berlowin

The word "me" is not used again in the ipv6. do you know why? because when i changed the word "any" to "me", the rule didn't work.

I don't see the me keyword/alias documented in the ip6fw(8) manpages. It is documented in the ipfw(8) manpages.

Quote:

Originally Posted by berlowin

I don't know the rules to block ssh and telnet. I've already done this:
$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0

But after i display the ip6fw list, i didn't find the rules for blocking ssh and telnet.

Is that a typo? Your allow rule is not going to block anything.

[berlowin]

Quote:

Originally Posted by anomie

Is that a typo? Your allow rule is not going to block anything.

Sorry, it's not typo but not completed. this is the complete rules:

$cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0
$cmd6 00504 deny tcp from any to any 22,23 in via ed0

And the output of ip6fw list didn't show anything related to ssh and telnet.

[anomie]

I don't see anything obviously syntactically wrong with those rules. Some questions are: 1) do those commands to ip6fw cause an error; 2) when you list your ruleset, do you see rule numbers 503 and 504 (instead of looking for ssh/telnet rules)?