Hi :)
I've had a HE tunnel for a while now, the tunnel starts/ends in my pfSense router (used this (http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/) howto) and all clients (XP/7/Kubuntu, haven't tried my Android phone yet) are able to use it.
Now, from a security point of view, would it be wise to install firewalls on the clients? This because (as far I understand it) the tunnel goes straight through the firewall of the router. The firewalls on the Windows clients are disabled. Kinda stopped using firewall software after I got a router and the firewalls (used NIS back then) stopped giving reports about people trying to break in. So figured, why not disable/remove them? But that was before I got IPv6.
So that brings me to this question: If it is wise to have a firewall when using an IPv6 tunnel, which software (something like ESET's Smart Security) fully supports IPv6? I haven't been able to find an up-to-date list about that...
With regards,
Bart Grefte
It is always a good idea to have a firewall somewhere along the line. The best way to think about it is.....take your IPv4 best-practices and apply them to IPv6.
I'd recommend setting up the firewall properly on your router. Then tunnel itself will go through your IPv4 firewall, which is the correct behavior. You should be applying firewall rules to your tunnel interface, though, so that traffic is properly firewalled.
yes its a good idea to have a firewall. Not because a HE tunnel somehow magically traverses your pfSense router, but the fact that IPv6 offers end-to-end connectivity, meaning that your devices behind your pfSense are directly reachable from the untrusted and dangerous Internet. Your first line of defense should be a firewall in your pfSense that is IPv6-aware, and your second line of defense should be the OS-integrated firewall.
If you disabled your windows firewalls and have no stateful means for IPv6 on your pfSense box, you can therefore assume that your windows machines are exposed to any or whatever flaws they may have from the Internet.
does the IPv6 version of pfSense (its in beta no?) offer some sort of stateful firewalling?
Yes the pfsense using IPv6 has a full IPV6 firewall -- which is an advantage of having the tunnel endpoint at your router vs some box inside it.
If he ran through the guide on the pfsense forums, then the firewall is in place. Easy enough to test with the ipv6 port scanner on HE site or
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
As you can see I disabled ssh, and then I enabled it
edit: I followed the link he posted to the guide, that is QUITE OLD!!! And I would not suggest you use that, ipv6 has been fully integrated into the 2.1 line of pfsense and very easy to add or just download the ipv6 iso that already have it integrated.
here is link the ipv6 of the pfsense forum
http://forum.pfsense.org/index.php/topic,32549.0.html
And here is direct link to ipv6 guide for pfsense - http://iserv.nl/files/pfsense/ipv6/
Which upon checking is outdated as well, I will will get with him to get that updated. You can download IPv6 iso here http://files.pfsense.org/jimp/ipv6/
Quote from: jrocha on July 22, 2011, 01:58:20 PM
It is always a good idea to have a firewall somewhere along the line. The best way to think about it is.....take your IPv4 best-practices and apply them to IPv6.
I'd recommend setting up the firewall properly on your router. Then tunnel itself will go through your IPv4 firewall, which is the correct behavior. You should be applying firewall rules to your tunnel interface, though, so that traffic is properly firewalled.
Quote from: cconn on July 22, 2011, 02:08:34 PM
yes its a good idea to have a firewall. Not because a HE tunnel somehow magically traverses your pfSense router, but the fact that IPv6 offers end-to-end connectivity, meaning that your devices behind your pfSense are directly reachable from the untrusted and dangerous Internet. Your first line of defense should be a firewall in your pfSense that is IPv6-aware, and your second line of defense should be the OS-integrated firewall.
If you disabled your windows firewalls and have no stateful means for IPv6 on your pfSense box, you can therefore assume that your windows machines are exposed to any or whatever flaws they may have from the Internet.
does the IPv6 version of pfSense (its in beta no?) offer some sort of stateful firewalling?
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?
The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.
Quote from: johnpoz on July 22, 2011, 07:09:50 PM
Yes the pfsense using IPv6 has a full IPV6 firewall -- which is an advantage of having the tunnel endpoint at your router vs some box inside it.
If he ran through the guide on the pfsense forums, then the firewall is in place. Easy enough to test with the ipv6 port scanner on HE site or
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
As you can see I disabled ssh, and then I enabled it
edit: I followed the link he posted to the guide, that is QUITE OLD!!! And I would not suggest you use that, ipv6 has been fully integrated into the 2.1 line of pfsense and very easy to add or just download the ipv6 iso that already have it integrated.
here is link the ipv6 of the pfsense forum
http://forum.pfsense.org/index.php/topic,32549.0.html
And here is direct link to ipv6 guide for pfsense - http://iserv.nl/files/pfsense/ipv6/
Which upon checking is outdated as well, I will will get with him to get that updated. You can download IPv6 iso here http://files.pfsense.org/jimp/ipv6/
pfSense 2.1 is not even close to being finished, 2.0 also hasn't been finished. The version I use right now (1.2.3) is stable.
Isn't there any way to use firewalls on the clients? I'm still looking but it's hard to find any info about firewall software that support IPv6.
Wanting to use firewalls on the clients is because I am thinking about ditching pfSense (actually I should say FreeBSD) because of the lack of support for 802.11n and because the FreeBSD Atheros driver is not working too well in G-mode, so figuring out how to use pfSense as IPv6 firewall won't do any good if I'm gonna ditch it. Haven't been able to find an alternative though. Maybe IPFire.
Quote from: bartgrefte on July 23, 2011, 01:35:44 AM
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?
The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.
I'd highly recommend upgrading to the 2.0RC3 release. Its quite stable, and should be the last RC before 2.0 stable anyway. There are patches for 2.0 that you can apply for IPv6. Look around on the IPv6 pfsense board: http://forum.pfsense.org/index.php/board,52.0.html
If you want to use a client side firewall for the Windows platform, for Windows 7, I seriously suggest using the built-in offering, as it has, in my opinion, the best IPv6 support of any of the current free firewalls. Other than that, the best free firewalls that will work on XP and 7, with reasonable IPv6 support are:
Outpost Security Suite FREE (http://free.agnitum.com/)
Comodo Firewall (http://personalfirewall.comodo.com/free-download.html)
These are both suites but most of the bits you may not want can be disabled. With Comodo firewall, the IPv6 support is getting there, but ICMPv6 filtering is still a bit broken.
If you want to pay for a firewall, then I'd suggest Look ' n ' Stop (http://www.looknstop.com/) There are others, such as Zone Alarm, but the IPv6 support, last time I looked, was pretty poor.
Failing that, buy a cheap home router and put something like Tomato (http://tomatousb.org/) or dd - wrt (http://www.dd-wrt.com/) on it.
Failing that, buy a cheap home router and put something like Tomato (http://tomatousb.org/) or dd - wrt (http://www.dd-wrt.com/) on it.
[/quote]
openwrt in the trunk or rc5 builds have stateful IPv6 firewall, I use it and its quite good. It filters ICMP "correctly" if that is your thing, however deals properly with PMTU and fragmentation etc from default settings.
Quote from: jrocha on July 23, 2011, 11:33:43 AM
Quote from: bartgrefte on July 23, 2011, 01:35:44 AM
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?
The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.
I'd highly recommend upgrading to the 2.0RC3 release. Its quite stable, and should be the last RC before 2.0 stable anyway. There are patches for 2.0 that you can apply for IPv6. Look around on the IPv6 pfsense board: http://forum.pfsense.org/index.php/board,52.0.html
Like I already said, why try it if I am gonna ditch pfSense anyway?
Quote from: Quill on July 23, 2011, 07:53:05 PM
If you want to use a client side firewall for the Windows platform, for Windows 7, I seriously suggest using the built-in offering, as it has, in my opinion, the best IPv6 support of any of the current free firewalls. Other than that, the best free firewalls that will work on XP and 7, with reasonable IPv6 support are:
Outpost Security Suite FREE (http://free.agnitum.com/)
Comodo Firewall (http://personalfirewall.comodo.com/free-download.html)
These are both suites but most of the bits you may not want can be disabled. With Comodo firewall, the IPv6 support is getting there, but ICMPv6 filtering is still a bit broken.
If you want to pay for a firewall, then I'd suggest Look ' n ' Stop (http://www.looknstop.com/) There are others, such as Zone Alarm, but the IPv6 support, last time I looked, was pretty poor.
Okay, then I'll enable the build-in on 7, that leaves XP.
Hmm, define reasonable. Don't tell me there are still no client side firewalls that fully support IPv6?
If you don't look at the price of the firewall, even if it is a few 1000 $/€, which one has the best IPv6 support at this time?
Quote from: Quill on July 23, 2011, 07:53:05 PM
Failing that, buy a cheap home router and put something like Tomato (http://tomatousb.org/) or dd - wrt (http://www.dd-wrt.com/) on it.
Why should I buy a cheap home router while I have a mini-ITX system doing that?
(Plus I would probably run into the lack of high enough throughput like I had with the router I had before the mini-ITX system, the Asus 500g Deluxe couldn't go above 25Mb.)
"pfSense 2.1 is not even close to being finished, 2.0 also hasn't been finished. The version I use right now (1.2.3) is stable."
So you were ok with running some commands off some none pfsense site to enable ipv6, but your not ok using their RC and supported code line for IPv6 support? :rolleyes:
As to ditching it because of lack of support, have you tried the 2.0 line its in RC and should be release fairly soon. Which is why they moved the ipv6 to the 2.1 line because they are getting closer to release of 2.0
As to firewall on you clients if that is how you want to do it, not what I would do for sure. But yes the windows 7 built in firewall is ipv6.
Guess I am :P
It's because the lack of support for the 802.11n standard in the underlying OS (FreeBSD), not because IPv6 just in case you where wondering. The makers of pfSense can't do anything about that. Only the makers of FreeBSD drivers can and even if they managed to get the drivers to support 802.11n, I would have to wait for the updated kernel to be placed in pfSense. Which could take some time too.
And then there's the "stuck beacon"-bug. So it would be a lot easier and faster to switch to a Linux based alternative.
Anyway, as for the firewall, I installed ESET's Smart Security v4 yesterday. According to the support devision of ESET there is full IPv6 support in it. However that particular feature is nowhere to be found on there website except on one place in the manual. As far as I can see the support is indeed there, it detects the IPv6 connections that the browser makes (but places then under the Smart Security process ???).
Re: firewall
The question would be in the same mind of asking if a firewall is needed for IPv4..
Given not everyone is running ipv6,but, I can asure you there are some folks out there that have access to it and can and will start to cause problems with ipv6 as time progress.
That being said. Last I remember, Dlink (My favorite company, LOL NOT..) is starting to ship IPv6 products. they are similar to the older products that exist. Example. DLINK DIR-655 Extreme.
This unit is now IPv6 compatible
http://www.dlink.com/ipv6 is a list of IPv6 compatiblity concerns that the DLINK covers.
Be advised. I have had some weird history with DLINK products. Usually, I get about 2 to 3 years out of a unit, then, it dies and I have to get a new one. Not too bad considering by that time, something new comes out and i am kinda forced to get an upgrade. (Works for me.)
Now. I have an older version of the DIR-655. I use it only to connect my wireless machines only. I don' t use any of the firewall functions of the unit. I am running IPv4/IPv6 over the unit without a problem. My firewall is in front of this unit. Anyway... Currently, there are several options you can use to achieve
a firewall for your network.
The short answer is yes. You do need a firewall for your IPv6 traffic for pretty much the same reasons you need one for IPv4 traffic. As cconn mentioned one of the cheaper options is to pick up a compatible consumer router and throw DD-
WRT (http://www.dd-wrt.com/site/support/router-database) on it. DD-WRT will happily do IPv6 firewall tasks all day and has an awful lot of other cool features to play with. Being Linux based it is also highly customizable and quite stable.
pfSense is also quite good if you happen to have an old PC sitting around that you can turn into a router box. I haven't played with IPv6 on it but it's IPv4 capabilities are very nice and easy to figure out. Probably easier than DD-WRT.
If this is for business use and/or you have some money to throw around I would recommend a Cisco ASA (http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range) firewall. Particularly the 5505 as it makes for an awesome home firewall/router/VPN thingy. Just keep in mind that an ASA cannot terminate a 6in4 tunnel to Hurricane Electric so this solution is really for people with a bit more network infrastructure and IOS knowledge than a typical home user.
At the moment IPv6 is mostly limited to early adopters and tinkerers. So you don't see the massive amounts of malicious crap on the IPv6 internet that you see on the IPv4 one. Obviously it won't stay this way much longer as more and more people adopt IPv6.
A firewall is definently needed. For some reason, I've picked up 5 sources that think that my server is their personal "ping toy." Needless to say, I now block ALL traffic from such abusers.
Quote from: antillie on September 12, 2011, 06:19:55 PM
DD-WRT will happily do IPv6 firewall tasks all day and has an awful lot of other cool features to play with. Being Linux based it is also highly customizable and quite stable.
unless you have a build that has ip6tables on it, no. and afaik none of the builds have ip6tables installed.
You can always install it you know. ;)
Quote from: Mangix on September 17, 2011, 05:57:14 PM... and afaik none of the builds have ip6tables installed.
Ubuntu UFW (which is just a front-end for iptables), as well as Ubuntu itself, supports IPv6 just fine.
FTR, I've been running pfsense with the ipv6 support train since April of this year and it has been working flawlessly with the HE tunnel. You definitely need some kind of firewall support on the router/firewall and it doesn't hurt to have it on the desktop as well.
LoboTiger
My IPv6 enabled website is just for fun, but I do keep an eye on it, mainly for educational purposes. Before today, ALL of the probes/scans/hack attempts have been from IPv4 addresses. Today I banned my first IPv6 address (from China of course)
# ufw deny from 2001:250:3c00:1062:224:e8ff:fe40:da50/128
Rule added (v6)
Quote from: snarked on September 13, 2011, 10:52:27 AMI've picked up 5 sources that think that my server is their personal "ping toy."
I can't figure out if you are another one of those people who thinks that all ICMP packets are evil, and block them whenever you see one, or if you actually experienced some abuse.
Responding to an echo request with an echo reply is a mandatory part of IPv6, and some protocols rely on this, most notably Teredo can't communicate with a host that doesn't respond to echo request. If you block the request, you'll never know if it was part of legitimate traffic.
A constant flow of say one small echo request per second may be unusual, but if you feel that amount of traffic will have a negative impact on your systems performance, then you are doing something wrong. Blocking traffic based on such small numbers is going to cause you more problems than it solves.
There is a huge margin between the normal amount of echo requests, and the amount it takes to slow down a system. Since you didn't mention any actual numbers, I can only guess at which of the two the actual number was closest to.
I have no problem with infrequent and irregular manual pinging to test connectivity. I also don't have a problem with pings where it's required for some functionality on my site. I do have a problem with others pinging me every 30 seconds or less when such is not necessary for my software to function, especially when I see no other packets from these sources at all. It is the latter case (cf. "ping toy") which I now actually block in my firewall - and I'm not blocking just ICMP6 but all packets from them. There is a point where it's not functionality but abuse, and they crossed that line.
I concluded such by having traced their activity (hits) in my firewall as per its logs over a week's time before I took action. At first, I banned their packets (ICMP6 adminstratively prohibited). They kept pinging away. Currently, I drop all packets from them (escalated to the IPv6 /32 level from more precise subnets). There are only 1,440 minutes in a day, and when I accumulate several thousand pings per day per source, that's abuse crystally clear.
With IPV6 it is simply a program designed to make computer safe and are listening for busy ports on it which can provide the hacker a way in. Those which are always connected to the internet via cable connection are more vulnerable than those that are connected via dial-up telephone modem. However, they are not totally free from the risk of intrusion. When they are online the risk is the same as those that are always connected. Thus basic firewall protection makes good sense for all which are connected to the internet.
Managed Hosting (http://www.managed.com/managed-hosting/)
Quote from: snarked on November 05, 2011, 04:46:47 PMI do have a problem with others pinging me every 30 seconds or less when such is not necessary for my software to function
Why would you even notice an echo request every 30 seconds? My computer can handle 100 echo requests per second without a problem.
I noticed because I designed my co-located server's firewall in a manner not only to permit desired or deny undesired traffic but also to account how much traffic of each type passes through. Those attempting exploits (e.g. TCP packets with both SYN and FIN set) are treated in a hostile manner, either by the firewall itself or by the applications. So, when I see my ping related rule counter skyrocket, I know someone's ping-flooding me.