• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Firewall security questions

Started by b1izzard, December 08, 2009, 12:00:22 AM

Previous topic - Next topic

b1izzard

Awesome.  Good to know.  That makes perfect sense since all MAC's are unique.

jimb

#31
Quote from: b1izzard on December 09, 2009, 05:25:39 PM
Since I can do a port scan using either 2001 address, and they are both showing up, that tells me that they are both publicly accessible making them not private.   What is the point of the Privacy address?  What is it's intended usage?
OOPS.  I used a bad choice of words.  I should have said "privacy" instead of "private".  Again, I discussed these briefly in a previous post.  Do you read what I write or just sort of "scan" it?  :P  

As broquea said, they're meant to provide some privacy via address anonymity.  Auto configured IP addresses contain the MAC address of your machine, which can be used to identify your specific host.  Also, it's meant to provide some of the anonymity that being behind a NAT gives in the IPv4 world, where everyone's internet traffic is hidden behind a single public IP.  It's turned on by default in windows, and will generate a new IPv6 in your prefix periodically, and start using it.  The original IPv6 stays around forever AFAIK, and the temporary privacy IPv6s stay around for a certain time period, then expire.  They're all reachable before they expire.  If you want to turn it off, you can issue the command:  netsh int ipv6 set privacy disabled

(this wiki page describes itin more detail)

The "fe80::224:1ff:fef5:a02%10" address is your default gateway, which is the link-local address of your D-Link, which I also referenced in this previous message.  (The %10 is just an interface index [zone index] which the OS pays attention to ... see here).
EDIT:  Oops.  I think you already understood this.

To answer your other question, you should just be able to add a static IP via the GUI if you wish.  I think this will turn autoconfiguration off.  I wouldn't use the autoconfig address.  Just use "2001:470:1f05:6db::10" or something like that.  Easier to type that way anyway.  You should be able to use the link-local of your D-Link as a default gateway, but you'll likely need to include the interface index too (the %10), or specify the interface.  Since it's link-local, it could be on any interface, and the OS has no idea which interface to use to get to it, hence the need for interface indexes.  Alternatively, you could use the global IPv6 you set on the D-Link, which should be 2001:470:1f05:6db::1" if you set it the way I expect you did.

b1izzard

Sorry Jimb, I missed the second half of the post on the privacy.  You did address this.  Not enough sleep... 

I did try the fe80 as the gateway, but the Windows GUI wouldn't take it.  When I went back to it, it would be empty.  I tried entering 2001:470:1f05:6db::1, which is the D-Link LAN IPV6 address and it takes it.  Will it screw things up using that instead of the fe80 address of the D-Link?

jimb

Quote from: b1izzard on December 09, 2009, 06:41:03 PM
Sorry Jimb, I missed the second half of the post on the privacy.  You did address this.  Not enough sleep... 

I did try the fe80 as the gateway, but the Windows GUI wouldn't take it.  When I went back to it, it would be empty.  I tried entering 2001:470:1f05:6db::1, which is the D-Link LAN IPV6 address and it takes it.  Will it screw things up using that instead of the fe80 address of the D-Link?
No.  It's fine.  It's debatable whether to use the global IPv6 or the Link-local for the default gateway.  Both work.  RA/autoconfiguration seems to always use the link-local.

One advantage I can see with using a link local address is that provided the MAC address of the router doesn't change, the IPv6 prefix can change, and the default router entry doesn't have to change.  This would be good in situations where the prefix might change on a somewhat regular basis, such as a 6to4 or Teredo situation.  However, since you're already having to change the global IPv6 addresses on every interface when your IPv4 changes, I don't see it as a whole lot of extra work to also update the default gateway.  So it's kind of moot to me.  Plus, if you change your router hardware, the link-local address will change too.  In a non-6to4/Teredo situation, this is more likely to happen than your prefix changing, unless you change ISPs frequently.  :P

b1izzard

I'm not sure if this is a problem with my D-Link firewall on the fritz with IPV6, but I am trying to setup Exchange 2007 (running on SBS 2008 64 bit) and am having trouble with the mail server certification.  Where is says "Schedule a test, and we will email you your new User Code", it just hangs on sending and I never receive an email.  I have disabled the firewall on the server and can see many open ports using your iPV6 scanner to 2001:470:1f05:6db:382a:5450:30d8:3c49, but for some reason it refuses to show port 25 as open.  When I do a telnet to it using IPV4, it sees the server just fine at remote.everettcoffee.com.  I can send and receive email and everything is perfect under IPv4. 

Any ideas would could cause this hang up?  Exchange 2007 is on SP1 from what I can tell (ver 8.1).  I haven't seen anything on Google with IPV6 not working on SBS 2008.  Is there something special you have to do for configuring Exchange 2007 for IPV6? 

I am assuming that you scan port 25, so that shouldn't be the problem.  The only other thing I can think of is to wipe the router and rebuild to see if it is the problem. 

jimb

Quote from: b1izzard on December 10, 2009, 08:10:41 PM
I'm not sure if this is a problem with my D-Link firewall on the fritz with IPV6, but I am trying to setup Exchange 2007 (running on SBS 2008 64 bit) and am having trouble with the mail server certification.  Where is says "Schedule a test, and we will email you your new User Code", it just hangs on sending and I never receive an email.  I have disabled the firewall on the server and can see many open ports using your iPV6 scanner to 2001:470:1f05:6db:382a:5450:30d8:3c49, but for some reason it refuses to show port 25 as open.  When I do a telnet to it using IPV4, it sees the server just fine at remote.everettcoffee.com.  I can send and receive email and everything is perfect under IPv4. 

Any ideas would could cause this hang up?  Exchange 2007 is on SP1 from what I can tell (ver 8.1).  I haven't seen anything on Google with IPV6 not working on SBS 2008.  Is there something special you have to do for configuring Exchange 2007 for IPV6? 

I am assuming that you scan port 25, so that shouldn't be the problem.  The only other thing I can think of is to wipe the router and rebuild to see if it is the problem. 

Appears to be your server.  When I connect to port 25 on your IPv6 mail server it connected and came back with "421 service not available" and closed the connection.

b1izzard

Thanks for checking it jimb.  After looking into this, the problem was with my server as you mentioned.  It turned out to be a missing IPv6 entry for the Server > Hub transport > Network > 'Receive mail from remote servers that have these IP addresses' dialog box.  Anyway, I added the Remote IP addresses 0:0:0:0:0:0:0:0-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff and I could then Telnet in.  I still wasn't receive the he.net email, but the logs showed that your email was getting spam out so I made an exception for it and it came through.  Now onto RDNS.   :D