Firewall security questions

b1izzard · December 08, 2009, 09:56:43 PM

I see part of my problem. I was confusing a tunnel with host. I was thinking a tunnel needed to be created for each host, but that is not the case. I am able to scan my computers ports, so it appears all are reachable from the internet. The thing that concerns me is

>>Not sure why, but I can't ping or trace your host from outside. Tunnel appears to be down.

Is it possible it's a problem on my end? It's strange that I can see them open from the HE port scanner but nowhere else. Have you run into this before?

jimb · December 08, 2009, 10:17:03 PM

Quote from: b1izzard on December 08, 2009, 09:56:43 PM
I see part of my problem. I was confusing a tunnel with host. I was thinking a tunnel needed to be created for each host, but that is not the case. I am able to scan my computers ports, so it appears all are reachable from the internet. The thing that concerns me is

Yes I noticed that before, and I guess I didn't explain it well enough. You only need ONE 6in4 tunnel to route IPv6 traffic from hosts for an entire LAN, or even a set of many LANs connected by other routers to the IPv6 internet. You set the tunnel up on the host/box/node/appliance you chose as your IPv6 router, and all other hosts send IPv6 traffic through this router, which routes the traffic down the tunnel to HE's tunnel server, and receives return traffic to your LAN through the same tunnel. Each host on your LAN does not have a separate tunnel.

Quote>>Not sure why, but I can't ping or trace your host from outside. Tunnel appears to be down.

Is it possible it's a problem on my end? It's strange that I can see them open from the HE port scanner but nowhere else. Have you run into this before?

Actually it's working now. I can't ping your windows box because it's probably dropping pings (firewall). But an nmap scan reveals port 80 and port 3389 (rdp) open, and I can connect:

Code Select

{root@gtoojimb/pts/3}~# nmap -6 -P0 -sT -T3 2001:470:1f05:6db:4f6:430e:50ff:4f1d 

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-08 22:12 PST
Interesting ports on 2001:470:1f05:6db:4f6:430e:50ff:4f1d:
Not shown: 998 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-term-serv

nc -6 -n -v 2001:470:1f05:6db:4f6:430e:50ff:4f1d 3389
(UNKNOWN) [2001:470:1f05:6db:4f6:430e:50ff:4f1d] 3389 (ms-wbt-server) open

nc -6 -n 2001:470:1f05:6db:4f6:430e:50ff:4f1d 80
lakjdsf
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 09 Dec 2009 06:13:09 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

EDIT: OK now it's down again. Not sure what's going on:

nc -6 -v -n 2001:470:1f05:6db:4f6:430e:50ff:4f1d 3389
(UNKNOWN) [2001:470:1f05:6db:4f6:430e:50ff:4f1d] 3389 (ms-wbt-server) : No route to host

It could be that your tunnel is flapping if you didn't completely get rid of the tunnel interfaces on your windows boxes. As I said before, if one of those 2008 boxes sends a 6in4 packet out, it will "override" the NAT entry on your edge router, and then all tunnel traffic will be sent to the windows box instead of the 615, until the 615 sends another 6in4 packet, yadda yadda. If your edge router allows you to configure a static NAT for protocol 41, configure one and point it to the DIR-615. Then it won't matter.

broquea · December 08, 2009, 10:22:29 PM

Quote from: b1izzard on December 08, 2009, 09:30:52 PM
Perhaps this information is somewhere on your site, but it seems that for newbies, it would be very helpful to add 2 hyperlinks to the tunnel details page and break it into categories for how to setup IPV6 using a router with PC's behind it, and also how to setup IPV6 for directly connecting your computer to the internet without a hardware firewall. I guarantee it would have saved you guys some serious time having to answer my relentless postings. :)

If I can pay you back by creating this documentation for you to review and post, I'd be happy to help.

This would actually be the function of the forums, where users can discuss and learn things like basics of IPv6 routing and WAN/LAN connectivity. The purpose of us providing examples for creating the tunnel on a device is simply to show how to do it. We can't know every single users' network topology, so we'll never be able to completely cover everyone's situation. Here on the forums, as you're seeing, the community helps to educate it's inhabitants. One of the bigger issues is the amount of NAT on the net these days, which is why I added that note about terminating tunnels on machines behind NAT. But if they don't understand we'd hope that they would ask. We could bloat the inside of the broker with huge walls of text explaining every single detail, but we felt that here on the forums, or emailing us directly would be a better way for everyone involved to help educate eachother.

We're also working on expanding the online FAQ to cover most of the topics we get submitted as trouble tickets http://ipv6.he.net/certification/faq.php That "what is an IPv4 endpoint" question is still the top ticket sent in; I've seen at least 5 this week and its only Tuesday, and we even display the viewing IPv4 address right next to the input field. If you want to write up a really nice set of documentation, walk-thoughs or HOWTOs (and ideally all our users should want to do this) we can even sticky the post in the forums to make sure it doesn't disappear. If there is an informative post we missed and people would like to see it stickied, bring it to our attention, absolutely.

In fact, I'd open up a whole new forum topic area just for user submitted documentation, walk-throughs and HOWTOs if enough people wanted it and were willing to contribute.

jimb · December 08, 2009, 10:34:49 PM

@broquea: I sometimes wonder if it'd serve better to simply omit the "Client IPv4 address" from the output.

Many routers don't even need this to be explicitly set anyway (it just uses the LAN interface). And maybe it'll make people actually think about what to use when it does ask for it.

I was also in the middle of writing a reply about this, mentioning the videos and stuff you guys posted on youtube. But canceled figuring that I'd let you answer it. :P

broquea · December 08, 2009, 10:37:26 PM

Quote from: jimb on December 08, 2009, 10:34:49 PM
@broquea: I sometimes wonder if it'd serve better to simply omit the "Client IPv4 address" from the output.

Well, that is the link to update your IPv4 endpoint inside the broker's UI...so not getting rid of it quite yet! :D

Plus it's needed in some of those example commands to get the tunnel up. Be they behind NAT or not.

jimb · December 08, 2009, 11:27:51 PM

O yeh I forgot about that link. Static IP here so I don't have to worry about it. :)

b1izzard · December 09, 2009, 12:41:37 AM

Jimb, the problem with the tunnel going up and down may have been related to me turning on and off the Windows 2008 firewall. Please try hitting TCP 3389 for host 2001:470:1f05:6db:714c:8d1d:88de:831 and let me know if you have any problems. I won't mess with it again until I hear back from you.

Both of my Windows XP machines are showing 2 IPV6 addresses and I don't know how to remove one of them. I tried resetting, and uninstalling IPV6, but they persist. They are both 2001: global addresses. How do use the command line to delete the second one? I tried netsh int ipv6 delete address "lan" <IPV6 address>, but get the error 'A device attached to the system is not functioning.

jimb · December 09, 2009, 01:14:16 AM

Quote from: b1izzard on December 09, 2009, 12:41:37 AM
Jimb, the problem with the tunnel going up and down may have been related to me turning on and off the Windows 2008 firewall. Please try hitting TCP 3389 for host 2001:470:1f05:6db:714c:8d1d:88de:831 and let me know if you have any problems. I won't mess with it again until I hear back from you.

It connects. You don't have to turn the FW on/off. You should be able to enable access to whatever services you desire with windows firewall. When you turn on remote desktop access, it normally puts a rule in there automatically.

QuoteBoth of my Windows XP machines are showing 2 IPV6 addresses and I don't know how to remove one of them. I tried resetting, and uninstalling IPV6, but they persist. They are both 2001: global addresses. How do use the command line to delete the second one? I tried netsh int ipv6 delete address "lan" <IPV6 address>, but get the error 'A device attached to the system is not functioning.

What are the IPv6 addresses? It could just be Teredo which is automatic. It wont use Teredo if there's a good unicast address. Plus it's turned off by default under XP. It may also be a result of IPv6 privacy, which generates a new IPv6 at intervals which is supposed to internet use more anonymous. You can turn it off with a netsh command if that's what's going on.

b1izzard · December 09, 2009, 07:35:25 AM

Here is what I have for my Windows XP machine. Note the 2nd 2001: address. Is this normal for XP?

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit
Ethernet NIC
Physical Address. . . . . . . . . : 00-0D-61-11-90-77
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:1859:ac7e:f09f:e1d
0
IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:20d:61ff:fe11:9077

IP Address. . . . . . . . . . . . : fe80::20d:61ff:fe11:9077%5
Default Gateway . . . . . . . . . : 192.168.1.1
fe80::224:1ff:fef5:a02%5
DNS Servers . . . . . . . . . . . : 192.168.1.1
68.87.69.146
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : C0-A8-01-05
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.5%2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

b1izzard · December 09, 2009, 07:42:17 AM

Also, I did a traceroute from subnetonline.com and came up with this. It seems to make it to HE. Any idea why it won't get through to me?
TraceRoute IPv6 Output:

traceroute to 2001:470:1f05:6db:20d:61ff:fe11:9077 (2001:470:1f05:6db:20d:61ff:fe11:9077), 30 hops max, 40 byte packets
1 2001:1af8:4200:b000::1 (2001:1af8:4200:b000::1) 0.822 ms 0.808 ms 0.868 ms
2 2001:1af8:4100::5 (2001:1af8:4100::5) 0.822 ms 0.904 ms 0.977 ms
3 be11.crs.evo.leaseweb.net (2001:1af8::9) 1.177 ms 1.164 ms 1.149 ms
4 ams-ix.he.net (2001:7f8:1::a500:6939:1) 1.134 ms 1.143 ms 1.166 ms
5 10gigabitethernet1-4.core1.lon1.he.net (2001:470:0:3f::1) 8.590 ms 8.664 ms 8.669 ms
6 10gigabitethernet2-3.core1.nyc4.he.net (2001:470:0:3e::1) 76.626 ms 76.558 ms 77.859 ms
7 10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10e::1) 147.225 ms 147.210 ms 147.403 ms
8 10gigabitethernet1-3.core1.pao1.he.net (2001:470:0:34::1) 156.874 ms 156.868 ms 157.105 ms
9 10gigabitethernet1-4.core1.fmt2.he.net (2001:470:0:30::1) 146.590 ms 146.584 ms 146.596 ms
10 1g-bge0.tserv3.fmt2.ipv6.he.net (2001:470:0:45::2) 149.811 ms 152.865 ms 155.933 ms
11 1g-bge0.tserv3.fmt2.ipv6.he.net (2001:470:0:45::2) 149.446 ms !H 149.481 ms !H 149.587 ms !H

jimb · December 09, 2009, 03:46:56 PM

The XP output looks normal. The extra IPv6 addresses on the interface are the "private" addresses which XP has added over time which I spoke of in a previous post.

Traceroute probably fails because your firewall is dropping the UDP packets, or not generating ICMPv6 time exceeded responses, or something is blocking these responses. The last response you see is HE's tunnel server.

b1izzard · December 09, 2009, 04:25:07 PM

If you are referring to the fe80: addresses, I can understand that. But I was referring specifically to the two 2001: addresses. So those are also considered 'private' and not global?

I have setup an AAAA host record for my test website and have tested it, so it's live. For my Windows Server 2008 box, should I set a static IPV6 address using netsh or the gui? Right now IPV6 is automatically configured from the D-Link. If I add a static IPV6 and now have two 2001: IPV6 addresses (the stateless and static), will this mess anything up?

If I just use the GUI, what is the Windows Server 2008 configuration supposed to be? I tried to use the auto-configuration IP of 2001:470:1f05:6db:4f6:430e:50ff:4f1d with 64 subnet, and the D-Link address as the gateway, which is the fe80::224:1ff:fef5:a02. It didn't seem to take it unfortunately.

broquea · December 09, 2009, 04:50:30 PM

Windows generated Privacy Address:

Code Select

IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:1859:ac7e:f09f:e1d0

Auto-configured Address (note the FF:FE):

Code Select

IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:20d:61ff:fe11:9077

b1izzard · December 09, 2009, 05:25:39 PM

Since I can do a port scan using either 2001 address, and they are both showing up, that tells me that they are both publicly accessible making them not private. What is the point of the Privacy address? What is it's intended usage?

kcochran · December 09, 2009, 05:35:23 PM

The privacy address is named such as it doesn't include your NIC's MAC address in it. It'll also change itself periodically.

News:

Firewall security questions