Welcome to Hurricane Electric's Tunnelbroker.net forums!
Started by bartgrefte, July 22, 2011, 01:37:46 PM
Quote from: jrocha on July 22, 2011, 01:58:20 PMIt is always a good idea to have a firewall somewhere along the line. The best way to think about it is.....take your IPv4 best-practices and apply them to IPv6.I'd recommend setting up the firewall properly on your router. Then tunnel itself will go through your IPv4 firewall, which is the correct behavior. You should be applying firewall rules to your tunnel interface, though, so that traffic is properly firewalled.
Quote from: cconn on July 22, 2011, 02:08:34 PMyes its a good idea to have a firewall. Not because a HE tunnel somehow magically traverses your pfSense router, but the fact that IPv6 offers end-to-end connectivity, meaning that your devices behind your pfSense are directly reachable from the untrusted and dangerous Internet. Your first line of defense should be a firewall in your pfSense that is IPv6-aware, and your second line of defense should be the OS-integrated firewall.If you disabled your windows firewalls and have no stateful means for IPv6 on your pfSense box, you can therefore assume that your windows machines are exposed to any or whatever flaws they may have from the Internet.does the IPv6 version of pfSense (its in beta no?) offer some sort of stateful firewalling?
Quote from: johnpoz on July 22, 2011, 07:09:50 PMYes the pfsense using IPv6 has a full IPV6 firewall -- which is an advantage of having the tunnel endpoint at your router vs some box inside it.If he ran through the guide on the pfsense forums, then the firewall is in place. Easy enough to test with the ipv6 port scanner on HE site or http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.phpAs you can see I disabled ssh, and then I enabled itedit: I followed the link he posted to the guide, that is QUITE OLD!!! And I would not suggest you use that, ipv6 has been fully integrated into the 2.1 line of pfsense and very easy to add or just download the ipv6 iso that already have it integrated.here is link the ipv6 of the pfsense forumhttp://forum.pfsense.org/index.php/topic,32549.0.htmlAnd here is direct link to ipv6 guide for pfsense - http://iserv.nl/files/pfsense/ipv6/Which upon checking is outdated as well, I will will get with him to get that updated. You can download IPv6 iso here http://files.pfsense.org/jimp/ipv6/
Quote from: bartgrefte on July 23, 2011, 01:35:44 AMOkay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.
Quote from: jrocha on July 23, 2011, 11:33:43 AMQuote from: bartgrefte on July 23, 2011, 01:35:44 AMOkay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.I'd highly recommend upgrading to the 2.0RC3 release. Its quite stable, and should be the last RC before 2.0 stable anyway. There are patches for 2.0 that you can apply for IPv6. Look around on the IPv6 pfsense board: http://forum.pfsense.org/index.php/board,52.0.html
Quote from: Quill on July 23, 2011, 07:53:05 PMIf you want to use a client side firewall for the Windows platform, for Windows 7, I seriously suggest using the built-in offering, as it has, in my opinion, the best IPv6 support of any of the current free firewalls. Other than that, the best free firewalls that will work on XP and 7, with reasonable IPv6 support are:Outpost Security Suite FREEComodo FirewallThese are both suites but most of the bits you may not want can be disabled. With Comodo firewall, the IPv6 support is getting there, but ICMPv6 filtering is still a bit broken.If you want to pay for a firewall, then I'd suggest Look ' n ' Stop There are others, such as Zone Alarm, but the IPv6 support, last time I looked, was pretty poor.
Quote from: Quill on July 23, 2011, 07:53:05 PMFailing that, buy a cheap home router and put something like Tomato or dd - wrt on it.
Quote from: antillie on September 12, 2011, 06:19:55 PMDD-WRT will happily do IPv6 firewall tasks all day and has an awful lot of other cool features to play with. Being Linux based it is also highly customizable and quite stable.