• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Firewalling

Started by MichaelRpdx, January 29, 2011, 06:36:05 AM

Previous topic - Next topic

MichaelRpdx

Security is important.
Testable by having a TCP port, perhaps something in the range of 501 to 550 or  > 1024 , return icmp6-adm-prohibited.

The test form would include the target address and  the port the admin will set to return icmp6-adm-prohibited
A suggestion to the test taker of using a normally unused port, perhaps something in the range of 501 to 550 or just in the high range of 1025 to 65535, to return icmp6-adm-prohibited.

A bit more comprehensive test would be:

Set up a firewall to filter IPv6 traffic. Test will attempt to telnet to the port.
Responses to include:
   Accept
   icmp6-adm-prohibited
   icmp6-addr-unreachable
   icmp6-port-unreachable
   icmp6-no-route

Host to test against:             ____
Port to allow traffic to           ____ (examples: 22, 25, 53, 80, 443)
Port that will be adm-prohib    ____
Port that will be addr-unreach ____
Port that will be port-unreach ____
Port that will be no-route       ____


When the test is run a programmatic equivalent of this test to ports 501-504 and 25 will occur
michael@hive:~$ for p in 1 2 3 4
> do
>     telnet -6 $IPv6_addr 50$p
> done
Trying $IPv6_addr...
telnet: Unable to connect to remote host: No route to host
Trying $IPv6_addr...
telnet: Unable to connect to remote host: No route to host
Trying $IPv6_addr...
telnet: Unable to connect to remote host: Permission denied
Trying $IPv6_addr...
telnet: Unable to connect to remote host: Network is unreachable
michael@hive:~$ telnet -6 $IPv6_addr 25
Trying $IPv6_addr...
Connected to $IPv6_addr.
Escape character is '^]'.
220 post.michaelsnet.us ESMTP Postfix

For better or worse this would be limited to people with control over capable firewalls.