• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Firewall necessary with IPv6?

Started by bartgrefte, July 22, 2011, 01:37:46 PM

Previous topic - Next topic

bartgrefte

Hi :)

I've had a HE tunnel for a while now, the tunnel starts/ends in my pfSense router (used this howto) and all clients (XP/7/Kubuntu, haven't tried my Android phone yet) are able to use it.

Now, from a security point of view, would it be wise to install firewalls on the clients? This because (as far I understand it) the tunnel goes straight through the firewall of the router. The firewalls on the Windows clients are disabled. Kinda stopped using firewall software after I got a router and the firewalls (used NIS back then) stopped giving reports about people trying to break in. So figured, why not disable/remove them? But that was before I got IPv6.

So that brings me to this question: If it is wise to have a firewall when using an IPv6 tunnel, which software (something like ESET's Smart Security) fully supports IPv6? I haven't been able to find an up-to-date list about that...

With regards,

Bart Grefte

jrocha

It is always a good idea to have a firewall somewhere along the line. The best way to think about it is.....take your IPv4 best-practices and apply them to IPv6.

I'd recommend setting up the firewall properly on your router. Then tunnel itself will go through your IPv4 firewall, which is the correct behavior. You should be applying firewall rules to your tunnel interface, though, so that traffic is properly firewalled.

cconn

yes its a good idea to have a firewall.  Not because a HE tunnel somehow magically traverses your pfSense router, but the fact that IPv6 offers end-to-end connectivity, meaning that your devices behind your pfSense are directly reachable from the untrusted and dangerous Internet.  Your first line of defense should be a firewall in your pfSense that is IPv6-aware, and your second line of defense should be the OS-integrated firewall.

If you disabled your windows firewalls and have no stateful means for IPv6 on your pfSense box, you can therefore assume that your windows machines are exposed to any or whatever flaws they may have from the Internet.

does the IPv6 version of pfSense (its in beta no?) offer some sort of stateful firewalling? 

johnpoz

#3
Yes the pfsense using IPv6 has a full IPV6 firewall -- which is an advantage of having the tunnel endpoint at your router vs some box inside it.

If he ran through the guide on the pfsense forums, then the firewall is in place.  Easy enough to test with the ipv6 port scanner on HE site or
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

As you can see I disabled ssh, and then I enabled it

edit: I followed the link he posted to the guide, that is QUITE OLD!!!  And I would not suggest you use that, ipv6 has been fully integrated into the 2.1 line of pfsense and very easy to add or just download the ipv6 iso that already have it integrated.

here is link the ipv6 of the pfsense forum
http://forum.pfsense.org/index.php/topic,32549.0.html

And here is direct link to ipv6 guide for pfsense - http://iserv.nl/files/pfsense/ipv6/

Which upon checking is outdated as well, I will will get with him to get that updated.  You can download IPv6 iso here http://files.pfsense.org/jimp/ipv6/


bartgrefte

#4
Quote from: jrocha on July 22, 2011, 01:58:20 PM
It is always a good idea to have a firewall somewhere along the line. The best way to think about it is.....take your IPv4 best-practices and apply them to IPv6.

I'd recommend setting up the firewall properly on your router. Then tunnel itself will go through your IPv4 firewall, which is the correct behavior. You should be applying firewall rules to your tunnel interface, though, so that traffic is properly firewalled.
Quote from: cconn on July 22, 2011, 02:08:34 PM
yes its a good idea to have a firewall.  Not because a HE tunnel somehow magically traverses your pfSense router, but the fact that IPv6 offers end-to-end connectivity, meaning that your devices behind your pfSense are directly reachable from the untrusted and dangerous Internet.  Your first line of defense should be a firewall in your pfSense that is IPv6-aware, and your second line of defense should be the OS-integrated firewall.

If you disabled your windows firewalls and have no stateful means for IPv6 on your pfSense box, you can therefore assume that your windows machines are exposed to any or whatever flaws they may have from the Internet.

does the IPv6 version of pfSense (its in beta no?) offer some sort of stateful firewalling?  
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?

The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.

Quote from: johnpoz on July 22, 2011, 07:09:50 PM
Yes the pfsense using IPv6 has a full IPV6 firewall -- which is an advantage of having the tunnel endpoint at your router vs some box inside it.

If he ran through the guide on the pfsense forums, then the firewall is in place.  Easy enough to test with the ipv6 port scanner on HE site or
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

As you can see I disabled ssh, and then I enabled it

edit: I followed the link he posted to the guide, that is QUITE OLD!!!  And I would not suggest you use that, ipv6 has been fully integrated into the 2.1 line of pfsense and very easy to add or just download the ipv6 iso that already have it integrated.

here is link the ipv6 of the pfsense forum
http://forum.pfsense.org/index.php/topic,32549.0.html

And here is direct link to ipv6 guide for pfsense - http://iserv.nl/files/pfsense/ipv6/

Which upon checking is outdated as well, I will will get with him to get that updated.  You can download IPv6 iso here http://files.pfsense.org/jimp/ipv6/


pfSense 2.1 is not even close to being finished, 2.0 also hasn't been finished. The version I use right now (1.2.3) is stable.



Isn't there any way to use firewalls on the clients? I'm still looking but it's hard to find any info about firewall software that support IPv6.
Wanting to use firewalls on the clients is because I am thinking about ditching pfSense (actually I should say FreeBSD) because of the lack of support for 802.11n and because the FreeBSD Atheros driver is not working too well in G-mode, so figuring out how to use pfSense as IPv6 firewall won't do any good if I'm gonna ditch it. Haven't been able to find an alternative though. Maybe IPFire.

jrocha

Quote from: bartgrefte on July 23, 2011, 01:35:44 AM
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?

The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.

I'd highly recommend upgrading to the 2.0RC3 release. Its quite stable, and should be the last RC before 2.0 stable anyway. There are patches for 2.0 that you can apply for IPv6. Look around on the IPv6 pfsense board: http://forum.pfsense.org/index.php/board,52.0.html

Quill

If you want to use a client side firewall for the Windows platform, for Windows 7, I seriously suggest using the built-in offering, as it has, in my opinion, the best IPv6 support of any of the current free firewalls.  Other than that, the best free firewalls that will work on XP and 7, with reasonable IPv6 support are:

Outpost Security Suite FREE
Comodo Firewall

These are both suites but most of the bits you may not want can be disabled. With Comodo firewall, the IPv6 support is getting there, but ICMPv6 filtering is still a bit broken.

If you want to pay for a firewall, then I'd suggest Look ' n ' Stop There are others, such as Zone Alarm, but the IPv6 support, last time I looked, was pretty poor.

Failing that, buy a cheap home router and put something like Tomato or dd - wrt on it.

cconn


Failing that, buy a cheap home router and put something like Tomato or dd - wrt on it.
[/quote]

openwrt in the trunk or rc5 builds have stateful IPv6 firewall, I use it and its quite good.  It filters ICMP "correctly" if that is your thing, however deals properly with PMTU and fragmentation etc  from default settings.

bartgrefte

#8
Quote from: jrocha on July 23, 2011, 11:33:43 AM
Quote from: bartgrefte on July 23, 2011, 01:35:44 AM
Okay. Then how can I get an IPv6 firewall in a version of pfSense that does not even support IPv6?

The version that supports IPv6, 2.1, is still beta. 2.0 is not even finished yet so it will be a while before 2.1 gets released.

I'd highly recommend upgrading to the 2.0RC3 release. Its quite stable, and should be the last RC before 2.0 stable anyway. There are patches for 2.0 that you can apply for IPv6. Look around on the IPv6 pfsense board: http://forum.pfsense.org/index.php/board,52.0.html
Like I already said, why try it if I am gonna ditch pfSense anyway?

Quote from: Quill on July 23, 2011, 07:53:05 PM
If you want to use a client side firewall for the Windows platform, for Windows 7, I seriously suggest using the built-in offering, as it has, in my opinion, the best IPv6 support of any of the current free firewalls.  Other than that, the best free firewalls that will work on XP and 7, with reasonable IPv6 support are:

Outpost Security Suite FREE
Comodo Firewall

These are both suites but most of the bits you may not want can be disabled. With Comodo firewall, the IPv6 support is getting there, but ICMPv6 filtering is still a bit broken.

If you want to pay for a firewall, then I'd suggest Look ' n ' Stop There are others, such as Zone Alarm, but the IPv6 support, last time I looked, was pretty poor.
Okay, then I'll enable the build-in on 7, that leaves XP.
Hmm, define reasonable. Don't tell me there are still no client side firewalls that fully support IPv6?

If you don't look at the price of the firewall, even if it is a few 1000 $/€, which one has the best IPv6 support at this time?

Quote from: Quill on July 23, 2011, 07:53:05 PM
Failing that, buy a cheap home router and put something like Tomato or dd - wrt on it.
Why should I buy a cheap home router while I have a mini-ITX system doing that?
(Plus I would probably run into the lack of high enough throughput like I had with the router I had before the mini-ITX system, the Asus 500g Deluxe couldn't go above 25Mb.)

johnpoz

"pfSense 2.1 is not even close to being finished, 2.0 also hasn't been finished. The version I use right now (1.2.3) is stable."

So you were ok with running some commands off some none pfsense site to enable ipv6, but your not ok using their RC and supported code line for IPv6 support? :rolleyes:

As to ditching it because of lack of support, have you tried the 2.0 line its in RC and should be release fairly soon.  Which is why they moved the ipv6 to the 2.1 line because they are getting closer to release of 2.0

As to firewall on you clients if that is how you want to do it, not what I would do for sure.  But yes the windows 7 built in firewall is ipv6.

bartgrefte

Guess I am :P

It's because the lack of support for the 802.11n standard in the underlying OS (FreeBSD), not because IPv6 just in case you where wondering. The makers of pfSense can't do anything about that. Only the makers of FreeBSD drivers can and even if they managed to get the drivers to support 802.11n, I would have to wait for the updated kernel to be placed in pfSense. Which could take some time too.
And then there's the "stuck beacon"-bug. So it would be a lot easier and faster to switch to a Linux based alternative.

Anyway, as for the firewall, I installed ESET's Smart Security v4 yesterday. According to the support devision of ESET there is full IPv6 support in it. However that particular feature is nowhere to be found on there website except on one place in the manual. As far as I can see the support is indeed there, it detects the IPv6 connections that the browser makes (but places then under the Smart Security process ???).

UltraZero

Re: firewall

The question would be in the same mind of asking if a firewall is needed for IPv4..

Given not everyone is running ipv6,but, I can asure you there are some folks out there that have access to it and can and will start to cause problems with ipv6 as time progress.

That being said.  Last I remember, Dlink  (My favorite company, LOL NOT..) is starting to ship IPv6 products.  they are similar to the older products that exist.  Example. DLINK DIR-655 Extreme.

This unit is now IPv6 compatible

http://www.dlink.com/ipv6 is a list of IPv6 compatiblity concerns that the DLINK covers. 

Be advised.  I have had some weird history with DLINK products.  Usually, I get about 2 to 3 years out of a unit, then, it dies and I have to get a new one. Not  too bad considering by that time, something new comes out and i am kinda forced to get an  upgrade.  (Works for me.)

Now.  I have an older version of the DIR-655.  I use it only to connect my wireless machines only.  I don' t use any of the firewall functions of the unit. I am running IPv4/IPv6 over the unit without a problem.  My firewall is in front of this unit.  Anyway...  Currently, there are several options you can use to achieve
a firewall for your network.


antillie

The short answer is yes. You do need a firewall for your IPv6 traffic for pretty much the same reasons you need one for IPv4 traffic. As cconn mentioned one of the cheaper options is to pick up a compatible consumer router and throw DD-
WRT
on it. DD-WRT will happily do IPv6 firewall tasks all day and has an awful lot of other cool features to play with. Being Linux based it is also highly customizable and quite stable.

pfSense is also quite good if you happen to have an old PC sitting around that you can turn into a router box. I haven't played with IPv6 on it but it's IPv4 capabilities are very nice and easy to figure out. Probably easier than DD-WRT.

If this is for business use and/or you have some money to throw around I would recommend a Cisco ASA firewall. Particularly the 5505 as it makes for an awesome home firewall/router/VPN thingy. Just keep in mind that an ASA cannot terminate a 6in4 tunnel to Hurricane Electric so this solution is really for people with a bit more network infrastructure and IOS knowledge than a typical home user.

At the moment IPv6 is mostly limited to early adopters and tinkerers. So you don't see the massive amounts of malicious crap on the IPv6 internet that you see on the IPv4 one. Obviously it won't stay this way much longer as more and more people adopt IPv6.

snarked

A firewall is definently needed.  For some reason, I've picked up 5 sources that think that my server is their personal "ping toy."  Needless to say, I now block ALL traffic from such abusers.

Mangix

Quote from: antillie on September 12, 2011, 06:19:55 PM
DD-WRT will happily do IPv6 firewall tasks all day and has an awful lot of other cool features to play with. Being Linux based it is also highly customizable and quite stable.
unless you have a build that has ip6tables on it, no. and afaik none of the builds have ip6tables installed.