• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

What do I need to filter out to run a properly configured router?

Started by Kizaki, December 08, 2008, 10:20:48 AM

Previous topic - Next topic

Kizaki

Hi,

What do I need to filter out to have a properly configured router? 

For example, the default configuration on this site for a tunnel is to route ::/0 to Hurricane Electric.  On one of the RFCs I read states 2000:/3 is for global addresses.  Would it hurt anything if I routed 2000::/3 to Hurricane Electric rather than ::/0?  I presume this would filter out any addresses that are supposed to be private and not routed on the internet.

My second question has to do with site local addresses.  They are supposed to be depreciated.   I don't know why they depreciated them. Site-local addresses are great for auto configuration, especially for the DNS servers.   Would it hurt anything if I use them anyways?

The problem is that RADVD does not assign DNS servers, even with the DNS setting in the config.  Windows by default assigns fec0:0:0:ffff::1-3 for the DNS settings.  I simply put one of those addresses on my router running the tunnel, and loaded up Bind.  Thanks to the site-local address, I didn't have to configure the DNS addresses on every computer, and I don't need DHCPv6.  All the nodes on all three of my subnets find that site-local address without a problem 

I also read in several places that Windows XP cannot resolve DNS though IPv6.  It seems to be working on my systems.  All DNS requests are going though to my DNS server over IPv6.  Even if the request is for an IPv4 only site.  It's rare that I see any IPv4 DNS packets on my network now.

My final question has to do with ip6tables.  Is there anything I need to filter other than source-route packets?  Mind you, I do not want a firewall. I want my network to be as open as possible. (sorry, but I am not as paranoid like most network admins.  Keeping up with security updates and turning off unused services has never failed me, yet). If I have too, I configure firewalls on the individual computers, not routers.  What I want to filter are malformed packets and anything that violates any IPv6 standards.  Basically, a packet insanity check.

This is what I have on my ip6tables so far.  If you guys have any suggestions, please let me know. 


root@kizakinet:~# ip6tables -vnL
Chain INPUT (policy ACCEPT 84858 packets, 8293K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0               rt type:0

Chain FORWARD (policy ACCEPT 349K packets, 182M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0               rt type:0

Chain OUTPUT (policy ACCEPT 97210 packets, 14M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0               rt type:0
root@kizakinet:~#

ericj

Quote from: Kizaki on December 08, 2008, 10:20:48 AM
What do I need to filter out to have a properly configured router? 

For example, the default configuration on this site for a tunnel is to route ::/0 to Hurricane Electric.  On one of the RFCs I read states 2000:/3 is for global addresses.  Would it hurt anything if I routed 2000::/3 to Hurricane Electric rather than ::/0?  I presume this would filter out any addresses that are supposed to be private and not routed on the internet.

Routing either ::/0 or 2000::/3 should work fine. Using 2000::/3 would filter out the private address ranges, so I would recommend using that.

Quote from: Kizaki on December 08, 2008, 10:20:48 AM
My second question has to do with site local addresses.  They are supposed to be depreciated.   I don't know why they depreciated them. Site-local addresses are great for auto configuration, especially for the DNS servers.   Would it hurt anything if I use them anyways?

The problem is that RADVD does not assign DNS servers, even with the DNS setting in the config.  Windows by default assigns fec0:0:0:ffff::1-3 for the DNS settings.  I simply put one of those addresses on my router running the tunnel, and loaded up Bind.  Thanks to the site-local address, I didn't have to configure the DNS addresses on every computer, and I don't need DHCPv6.  All the nodes on all three of my subnets find that site-local address without a problem 

It probably won't hurt to use them, but you should probably try to avoid using them, if just to keep your network to spec. Use unique local addressing if you can. If stateless autoconfiguration doesn't meet your needs, I suggest using DHCPv6 or a static configuration.

Still, I don't see your use of site local addresses ever becoming a problem, so it's up to you.