• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Firewall necessary with IPv6?

Started by bartgrefte, July 22, 2011, 01:37:46 PM

Previous topic - Next topic

antillie

You can always install it you know. ;)

pcreager

Quote from: Mangix on September 17, 2011, 05:57:14 PM... and afaik none of the builds have ip6tables installed.

Ubuntu UFW (which is just a front-end for iptables), as well as Ubuntu itself, supports IPv6 just fine.

lobotiger

FTR, I've been running pfsense with the ipv6 support train since April of this year and it has been working flawlessly with the HE tunnel.  You definitely need some kind of firewall support on the router/firewall and it doesn't hurt to have it on the desktop as well.

LoboTiger

pcreager

My IPv6 enabled website is just for fun, but I do keep an eye on it, mainly for educational purposes.  Before today, ALL of the probes/scans/hack attempts have been from IPv4 addresses.  Today I banned my first IPv6 address (from China of course)

# ufw deny from 2001:250:3c00:1062:224:e8ff:fe40:da50/128
Rule added (v6)

kasperd

Quote from: snarked on September 13, 2011, 10:52:27 AMI've picked up 5 sources that think that my server is their personal "ping toy."
I can't figure out if you are another one of those people who thinks that all ICMP packets are evil, and block them whenever you see one, or if you actually experienced some abuse.

Responding to an echo request with an echo reply is a mandatory part of IPv6, and some protocols rely on this, most notably Teredo can't communicate with a host that doesn't respond to echo request. If you block the request, you'll never know if it was part of legitimate traffic.

A constant flow of say one small echo request per second may be unusual, but if you feel that amount of traffic will have a negative impact on your systems performance, then you are doing something wrong. Blocking traffic based on such small numbers is going to cause you more problems than it solves.

There is a huge margin between the normal amount of echo requests, and the amount it takes to slow down a system. Since you didn't mention any actual numbers, I can only guess at which of the two the actual number was closest to.

snarked

I have no problem with infrequent and irregular manual pinging to test connectivity.  I also don't have a problem with pings where it's required for some functionality on my site.  I do have a problem with others pinging me every 30 seconds or less when such is not necessary for my software to function, especially when I see no other packets from these sources at all.  It is the latter case (cf. "ping toy") which I now actually block in my firewall - and I'm not blocking just ICMP6 but all packets from them.  There is a point where it's not functionality but abuse, and they crossed that line.

I concluded such by having traced their activity (hits) in my firewall as per its logs over a week's time before I took action.  At first, I banned their packets (ICMP6 adminstratively prohibited).  They kept pinging away.  Currently, I drop all packets from them (escalated to the IPv6 /32 level from more precise subnets).  There are only 1,440 minutes in a day, and when I accumulate several thousand pings per day per source, that's abuse crystally clear.

johnrobert

#21
With IPV6 it is simply a program designed to make computer safe and are listening for busy ports on it which can provide the hacker a way in. Those which are always connected to the internet via cable connection are more vulnerable than those that are connected via  dial-up telephone modem. However, they are not totally free from the risk of intrusion. When they are online the risk is the same as those that are always connected. Thus basic firewall protection makes good sense for all which are connected to the internet.
Managed Hosting

kasperd

Quote from: snarked on November 05, 2011, 04:46:47 PMI do have a problem with others pinging me every 30 seconds or less when such is not necessary for my software to function
Why would you even notice an echo request every 30 seconds? My computer can handle 100 echo requests per second without a problem.

snarked

I noticed because I designed my co-located server's firewall in a manner not only to permit desired or deny undesired traffic but also to account how much traffic of each type passes through.  Those attempting exploits (e.g. TCP packets with both SYN and FIN set) are treated in a hostile manner, either by the firewall itself or by the applications.  So, when I see my ping related rule counter skyrocket, I know someone's ping-flooding me.